Sophos Email Appliance: High number of spam, or false-positives, when using an ISA mail publishing rule

  • Article ID: 112947
  • Updated: 09 Feb 2011

Symptoms

When using a Microsoft ISA firewall to publish the email appliance for SMTP traffic, you may experience a higher number of spam messages than expected. Also, you may notice false-positive detections by the Sender Genotype (IP reputation) service.

NOTE: This issue may affect other firewalls, depending on their configuration. Please contact your firewall vendor for details.

Known to apply to the following Sophos product(s) and version(s)


Sophos Email Appliance

Cause

The ISA SMTP publishing rule can modify both the TCP connection and information in the Received headers. This prevents the Sender Genotype Service from scanning the Senders' IP correctly.

This happens when the SMTP publishing rule has the following setting enabled:

'Requests appear to come from the ISA server computer'

 

What to do

Overview

This issue occurs because the Sender Genotype tries to ascertain the 'First Unknown Relay' I.P. address to determine it's reputation. The First Unknown Relay I.P. address should always be the I.P. of the sending mail server.

Sender Genotype Connection Level Blocking

Normally, when an SMTP connection is initiated the connecting relay is the Senders' I.P. address. However, the ISA can be configured to modify the connection so it appears to originate from the ISA server.

In this scenario, connection level blocking is not possible.

Sender Genotype Policy Level Blocking

If policy level blocking is enabled, or if connection level blocking fails, we will receive the message and then analyze the headers to determine the 'First Unknown Relay'.

Consider this correct Received Header:

Received: from test (mailserver.sender.tld [1.1.1.1]) by ESA.domain.tld (Sophos Email Appliance) with ESMTP id 2A7DC1F2488F_CF3CC27F for <administrator@domain.tld>; Mon, 29 Nov 2010 15:51:57 +0000 (GMT)

When the appliance receives the message we will scan the I.P. address 1.1.1.1 as the 'First Unknown Relay' address. This is correct, because in this example 1.1.1.1 was the sender of the message.

Now, consider the same Received header when the message has passed through an ISA:

Received: from test (unknown [192.168.1.254]) by ESA.domain.tld (Sophos Email Appliance) with SMTP id F31151F248BA_CF3CB8EF for <administrator@domain.tld>; Mon, 29 Nov 2010 15:49:18 +0000 (GMT)

In this example, the ISA has replaced the I.P. of the sending mail server with it's own I.P. address 192.168.1.254

As the ISA server in this scenario is using a private I.P. address, we will continue looking through the received chain for the First Unknown Relay. This can cause the appliance to reject legitimate mail. For example we could choose a dynamically assigned I.P. address as the First Unknown Relay and therefore reject this as a suspicious sender.

 

Conclusion

Sender Genotype service does not work correctly (in either mode) when ISA SMTP publishing rule has the following setting enabled:

'Requests appear to come from the ISA server computer''

Resolution

Configure the ISA SMTP publishing rule so that requests appear to come from the original client:

  • Open the Firewall Policy in ISA (usually within ‘Arrays > SERVERNAME > Firewall Policy’
  • Find the SMTP Server publishing rule
  • Right-click this rule and select ‘Properties’
  • Go to the ‘To’ tab
  • There are two options here: (a) Requests appear to come from the ISA server computer (b) Requests appear to come from the original client
  • Set this to option (b) Requests appear to come from the original client
  • Remember to save and commit the changes

Please contact Microsoft for assistance with configuring your ISA server.

Further Information

For help with configuring the Sender Genotype Service, please see this article: KBA 112944 - Configuring the Sender Genotype Service

You can check the reputation of an I.P. address, and request that the I.P. be re-classified by using our online tool here: http://www.sophos.com/security/ip-lookup

For help with identifying why messages where rejected by Sender Genotype Service, please see this article: KBA 112936 - Messages rejected due to Policy Rule: Sophos Blacklisted sender IP

 

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments