Jump to content

Exclude whitelisted/ignored emails from rules?


Recommended Posts

I have a series of rules setup in ESMX 7 to filter specific emails, some of which contain "Dear Customer", which is a common thing spammers put in their emails. Unfortunately some legitimate emails also have this keyword, and so the rules are filtering those emails, despite the sender of the affected emails being on both the "Approved Domain to IP List" and the "Ignored Domain to IP List".

How can I configure the rule to only match against emails that are not on the approved or ignored list?

This is affecting rules configured not just for emails coming in but also those being scanned on-demand within the database.

Edited by davidenco
Link to post
Share on other sites
  • ESET Staff

Hi davidenco,

"Approved Domain to IP List" and the "Ignored Domain to IP List" are used only by antispam engine

To whitelist some IP addresses, modify the rule - create a condition "Sender's IP address is not any" and specify list of allowed IP addresses

15 hours ago, davidenco said:

This is affecting rules configured not just for emails coming in but also those being scanned on-demand within the database.

Only on-demand database scan rules can affect emails while scanning with on-demand database scan, transport rules are used only when scanning by transport agent

Link to post
Share on other sites
1 minute ago, filips said:

Hi davidenco,

"Approved Domain to IP List" and the "Ignored Domain to IP List" are used only by antispam engine

To whitelist some IP addresses, modify the rule - create a condition "Sender's IP address is not any" and specify list of allowed IP addresses

Only on-demand database scan rules can affect emails while scanning with on-demand database scan, transport rules are used only when scanning by transport agent

Some domains that have been approved or ignored have *A LOT* of IP addresses/ranges. How can I be expected to copy every IP address/range into every single rule and also maintain those IP addresses/ranges. That's a really daft approach. It sounds like the rule system is flawed.

Those lists are just lists; the anti-spam engine only uses them, but they're still independent from the anti-spam engine. So surely the rules should have no problem is some how hooking into them?

Link to post
Share on other sites

Alternatively, in what order are the rules executed, before the anti-spam engine or after?

If the rules are executed before, can I change this to after? If they're already executed after the anti-spam engine, does the engine write a header to emails that are on an approved/ignored/blocked list? If so, I could add a condition saying if that rule exists, don't run the rule. Problem solved.

I noticed this morning an email which is on the approved/ignored list has the "X-ESET-AS" header, compared to another email that does not feature on any list which does not have this header. What is the "X-ESET-AS" header?

Link to post
Share on other sites
  • ESET Staff

Filtering rules are executed before AS/AV scan and result processing after AS/AV scan (https://help.eset.com/emsx/7.0/en-US/idh_config_mailserver_rules.html)

X-ESET-AS is header with some diagnostic information, you could compare it with regex, it looks like header of whitelisted mail contains "OP=WL"

Link to post
Share on other sites
On 2/28/2019 at 1:01 PM, filips said:

Filtering rules are executed before AS/AV scan and result processing after AS/AV scan (https://help.eset.com/emsx/7.0/en-US/idh_config_mailserver_rules.html)

X-ESET-AS is header with some diagnostic information, you could compare it with regex, it looks like header of whitelisted mail contains "OP=WL"

I don't know why there isn't an option to refer to X list. Seems a bit backwards that I have to duplicate information and then maintain that duplicated information because ESET has a badly designed rule system.

As for the header, I have checked a number of different whitelisted emails (as in whitelisted for different reasons) but they all have the X-ESET-AS header and every email so far says  "OP=CALC". What does that mean?

This is really frustrating.

Does ESET not have a list of headers and what they mean?

As for the missing conditions (i.e. referring to pre-populated lists), is this something that can be added as an option please? I'm only having to add rules because the ESMX is letting through actual spam!!!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...