Re: SMTP Filter - HELP! (NOT config help)
- From: Memet Anwar <memet@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 10 Apr 2003 14:23:39 +0700
AFAIK, MS SMTP Server from IIS had quite extensive filtering hooks.
It is much the same like custom ISA filters, documented in the ISA SDK.
One of the relevant event of IIS/SMTP Server in your case, might be the SMTP
OnArrival event. There are some example of these in the web, including one
that filter message based on keyword. Actually, I guess the message screener
might be implemented this way: as IIS/SMTP Server event sink, and not
related to ISA.
> -----Original Message-----
> From: Brian Stone [mailto:brstephe@xxxxxxxxx]
> Sent: Thursday, April 10, 2003 7:28 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)
>
> I need a solution to stop spam from clogging users inboxes.
> I have two thoughts on this related to ISA and the SMTP
> filter and wondered if anyone would be willing to provide
> some feedback/suggestions/comments/etc.
>
> 1. Is anyone running some mailserver on their ISA box to
> forward to internal domains other than MS's SMTP server from
> IIS? Since many mailservers support the use of external
> files for filtering keywords and addresses, I wondered if
> anyone had tried this solution.
>
> 2. Option would be to develop an import/export app for the
> SMTP filter that would allow users to import blacklist files
> into the filter config.
> I might be willing to take a crack at this, would anyone be
> willing to share the known registry keys related to the SMTP
> filter, where it holds its config, and the reg key size
> limits that you've encountered.
>
> Thanks -
> Brian
>
> > Hi Edward,
> >
> > Yes, it's the key words that seem to run out of space, although I
> > don't know if anyone has entered enough addresses/domains
> to run up
> > against it. Still trying to find out what registry key
> holds the key
> > words. I've got the one that contains everything except
> the keywords!
> > Arrgh. :-)
> >
> > Thanks!
> > Tom
> >
> > -----Original Message-----
> > From: Edward Sullivan [mailto:esullivan@xxxxxxx]=20
> > Sent: Wednesday, December 11, 2002 9:33 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Fantastic - once fixed I suspect this will make a great article!
> > Please let me know what, if any, additional information
> you would like
> > me to provide.
> >
> > From what I have seen, it only appears to occur with the keywords.
> > Attachment blocking always functions, as well as domain
> blocking. Of
> > course, we do have more entries for keywords, so perhaps
> we have just
> > not hit the limit with the attachment and domain blocking features.
> >
> > Thanks again for your assistance!
> >
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > Sent: Tuesday, December 10, 2002 7:26 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Edward,
> >
> > There does appear to be a limit on the number of entries
> for the SMTP
> > Message Screener. I don't think its really a limit on the
> number of
> > entries, but a limit on the size of the regkey. Sean
> McCormick from
> > brainbuzz has clued me into this issue and we're trying to get it
> > cleared up.=20
> >
> > HTH,
> > Tom
> >
> > -----Original Message-----
> > From: Edward Sullivan [mailto:esullivan@xxxxxxx]=20
> > Sent: Tuesday, December 10, 2002 5:58 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I do not think this is the cause. We do have a secondary
> MX in place
> > in DNS in case of emergencies, but there is no policy
> enabled via the
> > firewall to allow mail to pass and the IP address is not
> live either.
> >
> > The only SMTP policy enabled on our firewall routes all
> inbound SMTP
> > traffic through the DMZ port of the firewall to the DMZ IP
> of the SMTP
> > server, which ISA is configured to see as the untrusted zone. From
> > that point the SMTP server relays to the primary Exchange server
> > though the internal trusted NIC.
> >
> > I am double-checking all of the settings and policies to make sure
> > nothing has been missed, but there is only one way for
> email to get
> > in, and it is a tight fit at that! There are only two
> other servers
> > with firewall policies allowing traffic in, and neither of
> those have
> > SMTP installed (or policies allowing SMTP traffic)and there are NO
> > servers with real IP addresses assigned.
> >
> > Any other ideas?
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Chris H [mailto:ntpro@xxxxxxxxxx]
> > Sent: Tuesday, December 10, 2002 5:24 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help)
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I cannot speak to ISA server's problem, but having gone
> through this
> > with 2 other email packages I have found that almost
> always the mail
> > is coming in
> > from another route you are not filtering such as an old
> secondary MX
> > record
> > or another IIS server that you dont know has SMTP service
> running on it
> > or a
> > Proxy server with the SOCKS service open, etc. It took me
> a few weeks to
> > finally nail everything down . . .
> > ----- Original Message -----
> > From: Edward Sullivan
> > To: [ISAserver.org Discussion List]
> > Sent: Tuesday, December 10, 2002 6:16 PM
> > Subject: [isalist] SMTP Filter - HELP! (NOT config help)
> >
> >
> > http://www.ISAserver.org
> >
> >
> > We are running ISA and IIS SMTP on our perimeter email
> screener, and
> > using the SMTP Filter to screen for:
> >
> > Attachment types (.exe, .pif, .com, .vbs, .bat, and .scr) Domains
> > which we receive spam from (about 100 in the list) Spam
> keywords (126
> > keywords in the list)
> >
> > Any message that meets SMTP filter criteria is forwarded
> to a spam box
> > on our primary Exchange Server.
> >
> > This server is not our firewall - we are only using ISA
> for the email
> > filtering functionality. The server hardware is a Dell
> 2550 with 512MB
> > of RAM, and a 2 GHZ XEON Processor. Dual NIC's, of course.
> To me, this
> > seems
> > like a well-sized server for the application.
> >
> > My question is this - I have noticed that certain keywords are not
> > being filtered, and that messages that contain keywords
> are not being
> > forwarded to our spam address, and are instead making it
> to our users.
> > Is there an effective limit to the number of keywords ISA
> can handle,
> > or is there a misconfiguration somewhere? Has anyone else
> seen this
> > behavior, and found a
> > way to correct it? A bug in ISA perhaps? (Heaven forbid!)
> >
> > Thanks in advance for your responses!
> > Ed Sullivan
> > Director of Information Services
> > esullivan@xxxxxxx <mailto:esullivan@xxxxxxx>
> > KMA Direct Communications
> > Confidential and Proprietary
> >
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > ntpro@xxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > esullivan@xxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > esullivan@xxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=> 3Disalist
> > ISA
> Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?> type=3DFAQ
> >
> ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> > $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Windows > 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as: memet@xxxxxxxxxxxxx To unsubscribe send
> a blank email to $subst('Email.Unsub')
>
Other related posts:
