So I've enabled the NDR bounce option on the ES1100 yet thousands of bounce messages from dynamic IPs are still getting through to one particular email box. The appliance is updated to the latest OS and both Enable Bounce Address Tag Verification (BATV)" and "Treat all auto-responders identified by SophosLabs as bounces" are checked.
thx
Michael
Hi Michael,
On your ES1100, are you using our Sender Genotype service at the MTA or policy level? There is a checkbox in that same section that can detect dynamic addresses.
There are several options that you can take, my first suggestion is to ask the enduser for the complete message and forward it to our labs for investigation. Send the message to is-spam@sophos.com.
The other suggestion is to contact our technical support team and they will be more than happy to assist in helping resolve this problem.
-Jason
Hi Michael,
As well as Jason's suggestion, I'd also recommend to check 'Search > Mail Logs'. This will tell you if the message triggered another policy causing it to be delivered before reaching the Bounce rule.
If you can't find the message in 'Mail Logs' it may be that the messages are arriving by another method - perhaps bypassing the appliance via a second entry in your MX record? You can always check the message headers to confirm how the NDR arrived.
Again, technical support will be happy to check your policy configuration and a sample of the message will definitely help them.
Best of luck,
Tom.
Thanks for the responses.
This is definitely coming into the appliance. There are no logs associted with these NDRs. as you can see below, the ES1100 is generating the NDR message. These come about 10 a minute to just the one email address and nothing i can to will block the NDR. I can't even block emails from "MAILER-DAEMON@es1100email.XXXXXXXX.local", the messages still come through. I've created a rule in Outlook to permanently delete the messages as my work around.
To Jason, this is how the filtering options are set in the ES1100 and I had already submitted the below message to is-spam@sophos.com
| Enable Denial of Service and Directory Harvest Attack protection CHECKED | Block mail from non-existent domains CHECKED |
From: Mail Delivery System [mailto:MAILER-DAEMON@es1100email.XXXXXXXX.local]
Sent: Friday, June 10, 2011 8:04 AM
To: Chemoffice
Subject: Undeliverable: blpzr£¬¢ß2011 ×î ¸ø Á¦ ÍÆ ¼ö>Ѹ ËÙ ³É Ϊ ÀÏ °å µÄ ×ó °ò ÓÒ ±Ûx5g1kuqrz
Delivery has failed to these recipients or distribution lists:
0535it@163.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
55062856@163.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
blpzr@163.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
changjiang_aaaa@163.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
cocenter@163.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
brunoassoc@aol.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
axym@bd.user.he.cninfo.net
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
askinner@nicusa.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
judithy1980@sina.com
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
The following organization rejected your message: 10.0.1.250.
Diagnostic information for administrators:
Generating server: es1100email.XXXXXXXX.local
0535it@163.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
55062856@163.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
blpzr@163.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
changjiang_aaaa@163.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
cocenter@163.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
brunoassoc@aol.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
axym@bd.user.he.cninfo.net
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
askinner@nicusa.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
judithy1980@sina.com
10.0.1.250 #<10.0.1.250 #5.7.1 smtp; 550 5.7.1 Unable to relay> #SMTP#
Original message headers:
Received: from es1100email.XXXXXXX.local (localhost.localdomain [127.0.0.1])
by localhost (Email Security Appliance) with SMTP id 057BF1472124_DF23290B;
Fri, 10 Jun 2011 15:04:48 +0000 (GMT)
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
X-Sophos-ESA-SMTPD-Auth-On: authentication enabled
X-Sophos-ESA-External-Sender: external sender
Received: from by (unknown [222.246.72.242])
by es1100email.XXXXXXXX.local (Sophos Email Appliance) with ESMTP id 273BA147111E_DF23283F;
Fri, 10 Jun 2011 15:04:34 +0000 (GMT)
Message-ID: <D013517CE1D952421E9678155AD1EFDC@by>
From: =?gb2312?B?zMbcsLvb?= <chemoffice@chemithon.com>
To:
Subject: =?gb2312?B?YmxwenKjrKLfMjAxMSDX7iC4+CDBpiDNxiA=?=
=?gb2312?B?vPY+0bggy9kgs8kgzqogwM8gsOUgtcQg1/MgsPIg?=
=?gb2312?B?09Igsdt4NWcxa3Vxcno=?=
Date: Fri, 10 Jun 2011 23:04:32 +0800
MIME-Version: 1.0
Content-Type: text/plain
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-SEA-Spam: Gauge=XXXXXXXXXX, Probability=100%, Report='
KNOWN_SPAM_EXCELSIG 8, LIKELY_CHINESE_SPAM 4, TO_EMPTY 2.0, HTML_FONT_INVISIBLE 1.0, CHINESE_MSG_SUBJECT_ENDS_IN_ALPHANUMERIC 0.5, HTML_70_90 0.1, HTML_NO_HTTP 0.1, BODYTEXTH_SIZE_10000_LESS 0, BODY_SIZE_10000_PLUS 0, FORGED_MUA_OUTLOOK 0, INVALID_MSGID_NO_FQDN 0, LOCALE_CHINESE 0, NO_URI_FOUND 0, USER_AGENT_OE 0, XLS_ATTACHED 0, __CHAR_CHINESE_SUBJ 0, __CHINESE_SUBJECT 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0, __HAS_HTML 0, __HAS_MSGID 0, __HAS_MSMAIL_PRI 0, __HAS_X_MAILER 0, __HAS_X_PRIORITY 0, __HIGHBITS 0, __HTML_FONT_BLUE 0, __HTML_FONT_RED 0, __MIME_HTML 0, __MIME_VERSION 0, __OUTLOOK_MUA 0, __OUTLOOK_MUA_1 0, __PHISH_SPEAR_STRUCTURE_1 0, __RUS_SUBJ_UCASE_1251 0, __SANE_MSGID 0, __SUBJECT_ENDING_IN_LATIN_OR_NUMERALS 0, __SUBJ_HIGHBIT 0, __TAG_EXISTS_HTML 0, __USER_AGENT_MS_GENERIC 0'
Michael,
Your configuration looks fine, please contact our support team and they can assist by logging remotely into your appliance for further investigation. It looks like SMTP-Auth was used to send the original message, it would be nice to see the flow of message, if possible the original message which seems to have triggered this problem.
-Jason
Hi Michael, thanks for providing the NDR info. It looks like the original message was probably spam (directed at external addresses). The sender 222.246.72.242 connected to the SEA using SMTP authentication to send the message - This will override the IP blocking functionality.
Support will be able to look at the logs in more detail remotely. In the interim, there might be a couple of things you can try:
- Reset the password for the user that is receiving the NDRs - it could be that their password has been cracked.
- Disable SMTP Authentication on the SEA if you do not need it
- Turn on your outbound Anti-Spam rules on the SEA. This particular message was given a 100% spam score by the ESA but wasn't quarantined. (NOTE: The message will be seen as outbound because of the SMTP authentication.)
Hope this helps,
Tom.
