How can we improve?

IPs and Hostnames exemption list for SPF and Rate Control processing

Hello Support,


I would like to make a request for an exceptions list of IPs and Hostnames for SPF processing.

-----------------------------

Here is the problem. We, and many of our clients (we are an IT company), come from a background of Barracuda anti-spam units.

On a Barracuda you can specify some hosts or IPs that you want excluded from the Barracuda's equivalent of Security Gateway's SPF processing. Typically one uses that list specifically and only for the hosts addresses of one's Backup MX queues.

On Security Gateway, you cannot, with the following results :

a) Internet line goes down, so emails are queued up at the Backup MX Queue ISP.

b) When the line comes back up, those emails which are now no longer coming directly
from the senders' servers all fail in Security Gateway on SPF processing (this server is not allowed
to send emails as "microsoft.com", etc...).

c) To solve the problem, we whitelist the hostnames of the backup queue but .....
............. then hit another problem : because the backup queue servers
are now whitelisted, none of the standard anti-spam checks are carried
out by Security Gateway and so a ton of spam gets delivered to the
client as emails from the backup queue servers are unloaded onto
Security Gateway !!!

d) Once all queued up emails are unloaded we then have to take
out those backup queue hostnames from the whitelist to ensure
that spam does not get a free ride through Security Gateway.


I note that on your homepage you are aiming Security Gateway squarely at Barracuda users. I would be grateful, therefore, if you could provide this enhancement in the next version of Security Gateway.

Here is a screenshot from a Barracuda so you can see for yourselves - it is called TRUSTED IPSs - as you can see, the Barraduda does something quite smart with that setting - it ignores that trusted IP for SPF, Rate Control and IP reputation, but the next IP (the real IP), does not escape the tests :




Regards,
Michel

3 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Michel shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Hello Michel,

Per feature whitelists will be considered for future versions. In the meantime there is a potential work around which I believe has already been shared with you, but I’ll share it for the benefit of everyone.

As a short term work around, you can use a custom SIEVE script for the SPF test. You will need to disable the built-in test, and replace it with something like.

require [“securitygateway”,“reject”,“fileinto”,“envelope”];

if not ip :is [“80.168.44.51”, “195.8.69.18”, “213.253.3.180”]
{
// cut paste text of system generated sieve script here
if allof(not whitelisted,not auth “succeeded”,not ip “des”) {
if lookup “spf” “fail” {
fileinto “spam”;
}
if lookup “spf” “softfail” {
spamscore “2.0”;
}
}

}

Thanks,

Arron

2 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Michel commented  ·   ·  Flag as inappropriate

    Hi Arron,

    There is not an actual section called EXCLUDE MESSAGES FROM WHITELISTED IP ADDRESSES - just "Exclude messages from whitelisted senders".

    If that is what you are referring to, then that is what I refer to in my Point (c) in the original post. The problem with that is that the IP and Hostnames whitelists are whitelists which tell SG : do NOT do any anti-spam checking on this IP/hostname, so, Yes, it means emails from a whitelisted IP/Hostname do NOT go through SPF checking, but it also means the same emails do NOT go through any of the other anti-spam checks. Results - hundreds of emails that have stacked up on the backup MX queue get delivered without a single anti-spam check on them !

    What is needed is an exclusion list specifically for SPF checking and no other checks.

    Michel

Feedback and Knowledge Base