[isapros] Re: SMTP Filter

From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Wed, 27 Feb 2008 09:03:53 -0600
Are the remote mail relays the customer's? 

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Wednesday, February 27, 2008 8:57 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter 
> 
> e.g. Remote Mail Relays => Internet => Internal Unix Mail 
> Relays => ISA => Exchange
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: 27 February 2008 14:51
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
> 
> It forces the Unix relays to queue all subsequent email once 
> it happens. Hence they get backlogs on the mail relays...
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: 27 February 2008 14:49
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
> 
> Hi Jason,
> 
> What I don't get is why they care if some spammer's computer gets its
> queue loaded up when it tries to send spam to their Exchange Server
> behind the ISA Firewall.
> 
> What am I missing here?
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
> 
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > Sent: Wednesday, February 27, 2008 8:45 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SMTP Filter
> >
> > They won't allow me to disable the SMTP filter at this time
> > as they are not sure if the Unix servers can provide the same
> > level of application-level protection, how ironic :)
> >
> > I get alerts in the monitoring section of the ISA console
> > when it happens - from what I understand the CR CR . CR CR is
> > contained within the message body of rogue (spam) messages.
> >
> > If ISA doesn't respond with the SMTP error code, I guess this
> > must be Exchange - but surely ISA had prevented this connection???
> >
> > I have tested it manually or personally...if you want more
> > details the guy has posted on some sendmail forums here:
> > http://www.webservertalk.com/message2285500.html
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > (Hammer of God)
> > Sent: 27 February 2008 14:18
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: SMTP Filter
> >
> > You've directly connected to the SMTP server via ISA and manually
> > entered the character sequence to verify this?  With the SMTP filter
> > applied, I don't get this error.  Further, like I said last 
> time, you
> > don't get SMTP error messages when the filter trigger terminates the
> > connection - it just terminates.
> >
> > But I'm assuming you've disabled the SMTP filter and 
> everything works?
> >
> > t
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Wednesday, February 27, 2008 3:08 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SMTP Filter
> > >
> > > Feedback:
> > >
> > > "Absolutely.  And that's why "<CR>.<CR>" should just be passed
> > straight
> > > through like any other random sequence of characters, and 
> not cause
> > the
> > > session to abort with a  "Syntax error" ..."
> > >
> > > Let me know if this is pushing the boundaries of the
> > mailing list and
> > I
> > > will get them to log a PSS call. If not, keep posting!
> > >
> > > Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202
> > 360489
> > > | Mobile: +44 (0)7971 500312 | Email/MSN:
> > jason.jones@xxxxxxxxxxxxxxxxx
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 26 February 2008 22:55
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SMTP Filter
> > >
> > > Tell them I said to read RFC 2821:
> > > http://rfc.net/rfc2821.html#s4.1.1.4
> > > <quote>
> > > The mail data is terminated by a line containing only a 
> period, that
> > >    is, the character sequence "<CRLF>.<CRLF>"
> > > </quote>
> > >
> > > They didn't say "something almost, but not quite totally unlike
> > > <CRLF>.<CRLF>".
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Tuesday, February 26, 2008 1:02 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SMTP Filter
> > >
> > > Guys,
> > >
> > > Here's more background below. From what I can tell the only way to
> > > prevent this is to disable the SMTP filter for the publishing rule
> > that
> > > provide access from the Unix mail relays to Exchange. I was
> > hoping for
> > > something a little more granular but can't see how to do 
> this in the
> > > GUI.
> > >
> > > Cheers
> > >
> > > JJ
> > >
> > > -------
> > > If Unix forwards a message to ISA / Exchange terminated
> > with  "CR CR .
> > > CR CR"   the ISA smtp filter drops the connection and 
> returns a 421
> > > 5.5.2  error, (rather than dropping/rejecting the message)
> > this causes
> > > the mail queues on the Unix servers to back-up.
> > >
> > > Is it possible to change the status code ISA Returns to a more
> > > appropriate code, or otherwise ignore this check?
> > >
> > > The email below explains in  a bit more detail.
> > >
> > > Okay, so it's ISA not Exchange, but ...
> > >
> > > We are getting messages stuck in our queues on their way into
> > Exchange.
> > > The ISA server replies with
> > >
> > > 421 5.5.2 Syntax error (invalid DATA termination)
> > >
> > > and the messages are held with
> > >
> > > xxx@xxxxxx Deferred: 421 5.5.2 Syntax error (invalid DATA
> > termination)
> > >
> > > This is a problem, since it is interpreted as a temporary server
> > > failure and a request to try again later, effectively blocking all
> > > further mail to that server on that queue run, and 
> leaving a backlog
> > of
> > > messages in the queue.
> > >
> > > Now the Microsoft site says that means
> > >
> > > "SMTP filter encountered an invalid DATA terminator Some character
> > > combinations in DATA may pose a security risk. The
> > connection has been
> > > terminated.
> > > SMTP filter event
> > > Invalid DATA termination"
> > >
> > > And it appears the cause is the occurrence of
> > >
> > > CR CR . CR CR
> > >
> > > in the message, accepted and passed on by our
> > sendmail-based relays .
> > > It appears that ISA will not accept this, and returns a 421
> > response,
> > > meaning try again later.  This seems wrong, since it is not a
> > temporary
> > > failure, and the message will never be delivered. Surely 
> the correct
> > > thing to do is either accept the message, or reject it with a
> > permanent
> > > failure so that the sender can be notified.
> > >
> > > Is there any way to disable or modify this behaviour within ISA ?
> > >
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: 26 February 2008 17:58
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: SMTP Filter
> > >
> > > What - you want to add the \r\r.\r\r in the filter definitions?
> > > Is this sequence sent with or without actual mail content?
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> > > Sent: Tuesday, February 26, 2008 9:37 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] SMTP Filter
> > >
> > > Hi,
> > >
> > > Is there any way to modify the ISA SMTP filter behaviour 
> outside of
> > the
> > > GUI?
> > >
> > > We have a customer who is getting a weird error from the 
> SMTP filter
> > > when the *data* portion contains "CR CR . CR CR". The
> > problem  is that
> > > instead of rejecting the connection, as I would have expected, the
> > > filter returns a 421 error, which essentially means "syntax error
> > > (invalid data termination), try again later" causing a
> > backlog on the
> > > upstream SMTP server.
> > >
> > > I am guessing this is a log with PSS job to determine if
> > the behaviour
> > > is a bug, or by design...just wondered in anyone had any similar
> > > experiences or thoughts?
> > >
> > > Cheers
> > >
> > > JJ
> > >
> > >
> > >
> > >   ________________________________
> > > This email and any files transmitted with it are confidential and
> > > intended solely for the use of the individual to whom it is
> > addressed.
> > > If you have received this email in error, or if you believe
> > this email
> > > is unsolicited and wish to be removed from any future
> > mailings, please
> > > contact our Support Desk immediately on 01202 360360 or email
> > > helpdesk@xxxxxxxxxxxxxxxxx
> > >
> > > If this email contains a quotation then unless otherwise
> > stated it is
> > > valid for 7 days and offered subject to Silversands Professional
> > > Services Terms and Conditions, a copy of which is available on
> > request.
> > > Any pricing information, design information or information
> > concerning
> > > specific Silversands' staff contained in this email is considered
> > > confidential or of commercial interest and exempt from the
> > Freedom of
> > > Information Act 2000.
> > >
> > > Any view or opinions presented are solely those of the 
> author and do
> > > not necessarily represent those of Silversands
> > >
> > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > > Company Registration Number : 2141393.
> > >
> > >
> > >
> > > This email and any files transmitted with it are confidential and
> > > intended solely for the use of the individual to whom it is
> > addressed.
> > > If you have received this email in error, or if you believe
> > this email
> > > is unsolicited and wish to be removed from any future
> > mailings, please
> > > contact our Support Desk immediately on 01202 360360 or email
> > > helpdesk@xxxxxxxxxxxxxxxxx
> > >
> > > If this email contains a quotation then unless otherwise
> > stated it is
> > > valid for 7 days and offered subject to Silversands Professional
> > > Services Terms and Conditions, a copy of which is available on
> > request.
> > > Any pricing information, design information or information
> > concerning
> > > specific Silversands' staff contained in this email is considered
> > > confidential or of commercial interest and exempt from the
> > Freedom of
> > > Information Act 2000.
> > >
> > > Any view or opinions presented are solely those of the 
> author and do
> > > not necessarily represent those of Silversands
> > >
> > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > > Company Registration Number : 2141393.
> > >
> > >
> > >
> > >
> > >
> > > This email and any files transmitted with it are confidential and
> > > intended solely for the use of the individual to whom it is
> > addressed.
> > > If you have received this email in error, or if you believe
> > this email
> > > is unsolicited and wish to be removed from any future
> > mailings, please
> > > contact our Support Desk immediately on 01202 360360 or email
> > > helpdesk@xxxxxxxxxxxxxxxxx
> > >
> > > If this email contains a quotation then unless otherwise
> > stated it is
> > > valid for 7 days and offered subject to Silversands Professional
> > > Services Terms and Conditions, a copy of which is available on
> > request.
> > > Any pricing information, design information or information
> > concerning
> > > specific Silversands' staff contained in this email is considered
> > > confidential or of commercial interest and exempt from the
> > Freedom of
> > > Information Act 2000.
> > >
> > > Any view or opinions presented are solely those of the 
> author and do
> > > not necessarily represent those of Silversands
> > >
> > > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > > Company Registration Number : 2141393.
> > >
> >
> >
> >
> > This email and any files transmitted with it are confidential
> > and intended solely for the use of the individual to whom it
> > is addressed.  If you have received this email in error, or
> > if you believe this email is unsolicited and wish to be
> > removed from any future mailings, please contact our Support
> > Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
> >
> > If this email contains a quotation then unless otherwise
> > stated it is valid for 7 days and offered subject to
> > Silversands Professional Services Terms and Conditions, a
> > copy of which is available on request. Any pricing
> > information, design information or information concerning
> > specific Silversands' staff contained in this email is
> > considered confidential or of commercial interest and exempt
> > from the Freedom of Information Act 2000.
> >
> > Any view or opinions presented are solely those of the author
> > and do not necessarily represent those of Silversands
> >
> > Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> > Company Registration Number : 2141393.
> >
> >
> >
> >
> 
> 
> This email and any files transmitted with it are confidential 
> and intended solely for the use of the individual to whom it 
> is addressed.  If you have received this email in error, or 
> if you believe this email is unsolicited and wish to be 
> removed from any future mailings, please contact our Support 
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
> 
> If this email contains a quotation then unless otherwise 
> stated it is valid for 7 days and offered subject to 
> Silversands Professional Services Terms and Conditions, a 
> copy of which is available on request. Any pricing 
> information, design information or information concerning 
> specific Silversands' staff contained in this email is 
> considered confidential or of commercial interest and exempt 
> from the Freedom of Information Act 2000.
> 
> Any view or opinions presented are solely those of the author 
> and do not necessarily represent those of Silversands
> 
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
> 
> 
> 
> This email and any files transmitted with it are confidential 
> and intended solely for the use of the individual to whom it 
> is addressed.  If you have received this email in error, or 
> if you believe this email is unsolicited and wish to be 
> removed from any future mailings, please contact our Support 
> Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
> 
> If this email contains a quotation then unless otherwise 
> stated it is valid for 7 days and offered subject to 
> Silversands Professional Services Terms and Conditions, a 
> copy of which is available on request. Any pricing 
> information, design information or information concerning 
> specific Silversands' staff contained in this email is 
> considered confidential or of commercial interest and exempt 
> from the Freedom of Information Act 2000.
> 
> Any view or opinions presented are solely those of the author 
> and do not necessarily represent those of Silversands
> 
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
> 
> 
> 
>
Follow-Ups:
- [isapros] Re: SMTP Filter
  - From: Jason Jones
[isapros] Re: SMTP Filter

Other related posts:
