davidenco 1 Posted February 26, 2019 Share Posted February 26, 2019 (edited) I have a series of rules setup in ESMX 7 to filter specific emails, some of which contain "Dear Customer", which is a common thing spammers put in their emails. Unfortunately some legitimate emails also have this keyword, and so the rules are filtering those emails, despite the sender of the affected emails being on both the "Approved Domain to IP List" and the "Ignored Domain to IP List". How can I configure the rule to only match against emails that are not on the approved or ignored list? This is affecting rules configured not just for emails coming in but also those being scanned on-demand within the database. Edited February 26, 2019 by davidenco Link to comment Share on other sites More sharing options...
ESET Staff filips 44 Posted February 27, 2019 ESET Staff Share Posted February 27, 2019 Hi davidenco, "Approved Domain to IP List" and the "Ignored Domain to IP List" are used only by antispam engine To whitelist some IP addresses, modify the rule - create a condition "Sender's IP address is not any" and specify list of allowed IP addresses 15 hours ago, davidenco said: This is affecting rules configured not just for emails coming in but also those being scanned on-demand within the database. Only on-demand database scan rules can affect emails while scanning with on-demand database scan, transport rules are used only when scanning by transport agent Link to comment Share on other sites More sharing options...
davidenco 1 Posted February 27, 2019 Author Share Posted February 27, 2019 1 minute ago, filips said: Hi davidenco, "Approved Domain to IP List" and the "Ignored Domain to IP List" are used only by antispam engine To whitelist some IP addresses, modify the rule - create a condition "Sender's IP address is not any" and specify list of allowed IP addresses Only on-demand database scan rules can affect emails while scanning with on-demand database scan, transport rules are used only when scanning by transport agent Some domains that have been approved or ignored have *A LOT* of IP addresses/ranges. How can I be expected to copy every IP address/range into every single rule and also maintain those IP addresses/ranges. That's a really daft approach. It sounds like the rule system is flawed. Those lists are just lists; the anti-spam engine only uses them, but they're still independent from the anti-spam engine. So surely the rules should have no problem is some how hooking into them? Link to comment Share on other sites More sharing options...
davidenco 1 Posted February 27, 2019 Author Share Posted February 27, 2019 Alternatively, in what order are the rules executed, before the anti-spam engine or after? If the rules are executed before, can I change this to after? If they're already executed after the anti-spam engine, does the engine write a header to emails that are on an approved/ignored/blocked list? If so, I could add a condition saying if that rule exists, don't run the rule. Problem solved. I noticed this morning an email which is on the approved/ignored list has the "X-ESET-AS" header, compared to another email that does not feature on any list which does not have this header. What is the "X-ESET-AS" header? Link to comment Share on other sites More sharing options...
ESET Staff filips 44 Posted February 28, 2019 ESET Staff Share Posted February 28, 2019 Filtering rules are executed before AS/AV scan and result processing after AS/AV scan (https://help.eset.com/emsx/7.0/en-US/idh_config_mailserver_rules.html) X-ESET-AS is header with some diagnostic information, you could compare it with regex, it looks like header of whitelisted mail contains "OP=WL" Link to comment Share on other sites More sharing options...
davidenco 1 Posted March 2, 2019 Author Share Posted March 2, 2019 On 2/28/2019 at 1:01 PM, filips said: Filtering rules are executed before AS/AV scan and result processing after AS/AV scan (https://help.eset.com/emsx/7.0/en-US/idh_config_mailserver_rules.html) X-ESET-AS is header with some diagnostic information, you could compare it with regex, it looks like header of whitelisted mail contains "OP=WL" I don't know why there isn't an option to refer to X list. Seems a bit backwards that I have to duplicate information and then maintain that duplicated information because ESET has a badly designed rule system. As for the header, I have checked a number of different whitelisted emails (as in whitelisted for different reasons) but they all have the X-ESET-AS header and every email so far says "OP=CALC". What does that mean? This is really frustrating. Does ESET not have a list of headers and what they mean? As for the missing conditions (i.e. referring to pre-populated lists), is this something that can be added as an option please? I'm only having to add rules because the ESMX is letting through actual spam!!! Link to comment Share on other sites More sharing options...
Recommended Posts