Jump to content

M.K.

ESET Staff
  • Posts

    45
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by M.K.

  1. Hi, a possible workaround is to switch the type of quarantine from "Local quarantine" to "Quarantine mailbox". That way you can access the quarantined emails also via Outlook/OWA/... and get access to the attachments before releasing them via ESET Mail Security.
  2. Hi, this should be possible. The condition "Internal message = false" should filter only the incoming messages.
  3. Hi, when there is a limit on number of IP addresses from Received headers set by user, they are counted from the most recent (appears on top). Local IP addresses and addresses on Ignore list are skipped i.e. not counted towards the limit. Note: besides Received headers, we also acquire the IP address of the connecting server from the SMTP session - this address is always checked against our cloud blacklists/whitelists, independent on whether it is part of Received headers or not.
  4. Hi, Ad. Internal: messages are consider as internal if the SMTP connection is not marked as external by Exchange server, or when the email comes from the internal mailbox, or when is submitted via local pickup. Ad. Outgoing: this is based on the email recipients categories. EMSX checks all recipients of the email to determine whether they are located in the same organization, in different organization, or are marked by Exchange as external.
  5. Hi, ESET Mail Security doesn't use any third party RBL by default, only our own cloud service.
  6. Hi Daenni, yes in Mail Quarantine you can check the original headers of quarantined emails, in the Details window.
  7. Hi, RBL servers are queried with IP addresses extracted from 'Received:' headers, DNSBL servers are queried with IP's and domains extracted from message body. Hope that helps.
  8. There is a setting in product "Enable temporary rejecting of undetermined messages" in Advanced antispam settings, that can help to fight first waves of spam by temporarily rejecting suspicious emails for the specified period until our antispam cloud gathers enough data. For malware it is recommended to enable ESET LiveGuard (cloud sandbox).
  9. The "UseOriginalIPHeader" setting is relevant only for the Mail security, not for Network protection component. So yes, that was a misunderstanding from our part.
  10. You can verify it in the Mail server protection log - e.g. turn on logging of all messages <?xml version="1.0" encoding="utf-8"?> <ESET> <PRODUCT NAME="emsx"> <ITEM NAME="plugins"> <ITEM NAME="01004100"> <ITEM NAME="settings"> <ITEM NAME="MAILSERVER_CONFIG"> <NODE NAME="LogAllMessages" TYPE="number" VALUE="1" /> </ITEM> </ITEM> </ITEM> </ITEM> </PRODUCT> </ESET> send an email containing the header (i.e. X-Originating-IP: X.Y.Z.W) and you should see the X.Y.Z.W address in the "IP Address" column instead of the address of the sending server. The column has zero width by default, you need to resize it first - it is the second column right after "Time". If that address is on the Blocked IP list, the whole email should be marked as spam.
  11. Hi, Microsoft has recently discontinued the Basic Authentication for EWS by default (https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online). We are working on a solution which we plan to include in the next major EMSX release. In the meantime it is still possible to re-enable the Basic Authentication in tenant settings: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
  12. You don't need to edit exported settings, you can just import that XML I've copied here in the chat. Just save those 15 lines to a file and import it - only those two settings will be affected by it. As for the "the originating IP Address is detected automatically in all new versions of Mail Security" - that could be a bit misleading. It's true that our antispam engine tries to verify/detect the correct sender's IP address from the message headers automatically if the IP address provided from Exchange Server SMTP session is e.g. a local address (Edge server, other server in DAG etc...). But that has nothing to do with this setting (UseOriginalIPHeader) where you can explicitly specify which particular header contain the correct IP.
  13. The setting should work the same as before, i.e. when turned on (UseOriginalIPHeader=1) and with the header name defined (OriginalIPHeader), then whenever EMSX finds such header in the email, it's value - if it's valid IP address - is used instead of the connecting server IP address. That should relate to all protection layers that process the connecting IP (antispam, SPF ...). It has been removed from GUI, as it was often used in a way that was not intended. For the legitimate cases it is still available for advanced users.
  14. Hi, this setting is still available, but only via the configuration XML, for example: <?xml version="1.0" encoding="utf-8"?> <ESET> <PRODUCT NAME="emsx" VERSION="9.0"> <ITEM NAME="plugins"> <ITEM NAME="01004101"> <ITEM NAME="settings"> <ITEM NAME="XMON_AGENT_CONFIG"> <NODE NAME="OriginalIPHeader" TYPE="string" VALUE="X-Originating-IP" /> <NODE NAME="UseOriginalIPHeader" TYPE="number" VALUE="1" /> </ITEM> </ITEM> </ITEM> </ITEM> </PRODUCT> </ESET>
  15. Hi, with automatic exclusions for Exchange Servers we have followed recommendations from Microsoft, i.e. https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019
  16. Hi, SPF should work fine even under these circumstances. You need to put the IP address of your new MTA into the Ignored IP list and mark it as Infrastructure IP. EMSX should then parse the correct sender's IP from Received headers and use it in the SPF check. As for your question - SPF result is not used directly when classifying an email (spam/nospam), but can have impact on future classifications in cloud.
  17. Hi, you can add (google.com) domain to the Greylisting -> Domain to IP whitelist. Or to Antispam -> Ignored Domain to IP list, and ensure that checkbox "Use antispam lists to automatically bypass Greylisting and SPF" is on. Alternatively, you can check "Automatically bypass Greylisting if SPF check passes" under the SPF/DKIM section.
  18. It should work, as long as the downloaded emails are scanned by Mail Security transport agent. Most POP3 downloaders deliver emails via SMTP. Did you specify the list of your domains and your infrastructure IP's in Sender Spoofing Protection settings?
  19. You can add a condition "Sender's IP address ... is not" to the rule and list the addresses for which you want to skip the rule. Currently it is not possible to reference directly the existing IP lists defined in Advanced settings/Antispam protection/Filtering and verification. But we do track this market requirement in our backlog already and plan to add it in the future.
  20. Hi, the problematic domain you reported has been already removed from the cloud blacklist. The quickest way to solve such cases is to send the email sample to nospam_ecos@eset.com (https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab#spam) as those are handled almost immediately. Also based on the sample we have identified a problem in the algorithm that selects the sender's address from email headers in some cases (Return-path: header), and it will be also addressed by an automatic update. Regards, Matej
  21. EMSX tries to resolve as many IP addresses associated with that domain as possible - using A, MX, and SPF records. All resolved IP's could be checked in the Edit dialog in Advanced settings. If the IP is on the list (approved domain to IP list) and the email is still being marked as spam, please submit a support ticket so we can have a look at it.
  22. First question - yes, exactly. Regarding the blacklist check - if the IP is on Ignored list, then no checks are performed with the IP, including neither cloud nor local blacklists. But the email could be, for example, marked as spam due to the blacklisted domain in the message body.
  23. IP addresses found on "Ignored IP List" will be skipped during classification, the rest of the email will be still checked. When IP is whitelisted, the whole email is automatically considered as ham.
  24. Hi, ESET Mail Security for Exchange uses '451 4.7.1 Please try again later' response for greylisted messages, but Greylisting is turned off by default. Have you checked in-product logs or transaction logs to verify whether messages were rejected by Mail Security?
×
×
  • Create New...