Re: SMTP Filter - HELP! (NOT config help)

Fantastic - once fixed I suspect this will make a great article! Please let me 
know what, if any, additional information you would like me to provide.

From what I have seen, it only appears to occur with the keywords. Attachment 
blocking always functions, as well as domain blocking. Of course, we do have 
more entries for keywords, so perhaps we have just not hit the limit with the 
attachment and domain blocking features.

Thanks again for your assistance!


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, December 10, 2002 7:26 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)


http://www.ISAserver.org


Hi Edward,

There does appear to be a limit on the number of entries for the SMTP
Message Screener. I don't think its really a limit on the number of
entries, but a limit on the size of the regkey. Sean McCormick from
brainbuzz has clued me into this issue and we're trying to get it
cleared up. 

HTH,
Tom

-----Original Message-----
From: Edward Sullivan [mailto:esullivan@xxxxxxx] 
Sent: Tuesday, December 10, 2002 5:58 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)


http://www.ISAserver.org


I do not think this is the cause. We do have a secondary MX in place in
DNS in case of emergencies, but there is no policy enabled via the
firewall to allow mail to pass and the IP address is not live either.

The only SMTP policy enabled on our firewall routes all inbound SMTP
traffic through the DMZ port of the firewall to the DMZ IP of the SMTP
server, which ISA is configured to see as the untrusted zone. From that
point the SMTP server relays to the primary Exchange server though the
internal trusted NIC.

I am double-checking all of the settings and policies to make sure
nothing has been missed, but there is only one way for email to get in,
and it is a tight fit at that! There are only two other servers with
firewall policies allowing traffic in, and neither of those have SMTP
installed (or policies allowing SMTP traffic)and there are NO servers
with real IP addresses assigned.

Any other ideas?





-----Original Message-----
From: Chris H [mailto:ntpro@xxxxxxxxxx]
Sent: Tuesday, December 10, 2002 5:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)


http://www.ISAserver.org


I cannot speak to ISA server's problem, but having gone through this
with 2
other email packages I have found that almost always the mail is coming
in
from another route you are not filtering such as an old secondary MX
record
or another IIS server that you dont know has SMTP service running on it
or a
Proxy server with the SOCKS service open, etc. It took me a few weeks to
finally nail everything down  . . .
----- Original Message -----
From: Edward Sullivan
To: [ISAserver.org Discussion List]
Sent: Tuesday, December 10, 2002 6:16 PM
Subject: [isalist] SMTP Filter - HELP! (NOT config help)


http://www.ISAserver.org


We are running ISA and IIS SMTP on our perimeter email screener, and
using
the SMTP Filter to screen for:

Attachment types (.exe, .pif, .com, .vbs, .bat, and .scr)
Domains which we receive spam from (about 100 in the list)
Spam keywords (126 keywords in the list)

Any message that meets SMTP filter criteria is forwarded to a spam box
on
our primary Exchange Server.

This server is not our firewall - we are only using ISA for the email
filtering functionality. The server hardware is a Dell 2550 with 512MB
of
RAM, and a 2 GHZ XEON Processor. Dual NIC's, of course. To me, this
seems
like a well-sized server for the application.

My question is this - I have noticed that certain keywords are not being
filtered, and that messages that contain keywords are not being
forwarded to
our spam address, and are instead making it to our users. Is there an
effective limit to the number of keywords ISA can handle, or is there a
misconfiguration somewhere? Has anyone else seen this behavior, and
found a
way to correct it? A bug in ISA perhaps? (Heaven forbid!)

Thanks in advance for your responses!
Ed Sullivan
Director of Information Services
esullivan@xxxxxxx <mailto:esullivan@xxxxxxx>
KMA Direct Communications
Confidential and Proprietary

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ntpro@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
esullivan@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
esullivan@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: