Cisco ESA: skip bulkcheck based on Sender IP

When you have trusted marketing company performing internal emailing campaign on your behalf their messages may get stuck in Ironport Graymail filtering engine. Especially if they rely on some other 3rd party company which sends these emails from shared hosting environment.

Here is a message flagged as bulk. A closer look reveals “from” field does not match the sender domain so instead of loosegrip.net in reality sender domain is @.mcdlv.net. We can use this information in Incoming mail policy as a sender to bypass bulk filter but If domain changes you will have to track these messages again to update your policy which is not very practical.

A better way to bypass bulk check is with sender’s IP range however it is not possible to do in the GUI. Content filter can match on sender IP but they take place after Graymail check and mail flow policies do not have the option to disable Graymail.

The only place where we can bypass bulkcheck is in message filters configured from CLI thanks to skip-bulkcheck option. Take the following steps to configure this filter.

(esa)> filters

Choose the operation you want to perform:
– NEW – Create a new filter.
[]> new

Enter filter script. Enter ‘.’ on its own line to end.

SkipBulkcheckFilter:
if remote-ip == “148.105.0.0/16”     //this  can be a range or single IP
{
skip-bulkcheck();
}
.

1 filters added.

Check new filter.

[]> list

Num Active Valid Name
1 Y Y SkipBulkcheckFilter

[]> detail

Enter the filter name, number, or range:
[]> SkipBulkcheckFilter

Num Active Valid Name
1 Y Y SkipBulkcheckFilter
SkipBulkcheckFilter1: if remote-ip == “205.201.128.0/20” {
skip-bulkcheck();
}

If something is not right use delete command to remove filter.

Choose the operation you want to perform:
[]> delete

Enter the filter name, number, or range:
[]> 1

1 filters deleted.

Once all is correct commit the changes.

(esa)>commit

To verify in message tracking under Advanced > Message Event: > Message Filters name specify filter name.

Message tracking results.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar