Trustwave Becomes First Pure-Play MDR Provider to Attain FedRAMP Authorization. Learn More

Request a Demo
Trustwave Becomes First Pure-Play MDR Provider to Attain FedRAMP Authorization. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft Security
Unlock the full power of Microsoft Security
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
Loading...
Loading...

Trustwave Knowledge Base

Home » Knowledgebase » Trustwave MailMarshal (SEG) » HOWTO: How do I bypass the PTR lookup for specific hosts?

HOWTO: How do I bypass the PTR lookup for specific hosts?

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do I bypass the PTR lookup for specific hosts?

Procedure:

Currently there is no method to set up exclusions directly from the Host Validation tab. However, there is a workaround. Rules-based Reverse Pointer lookups are probably at their most powerful and accurate if targeted specifically at email from yahoo, hotmail, or other service providers. Spammers frequently spoof these domains, while sending from servers that fail DNS lookups. Legitimate mail from these domains should not fail reverse PTR lookups.

Caution: PTR lookups should be used with care. Many legitimate servers do not have correctly configured PTR records.

  1. Enable Validate connecting hosts in the DNS and select Accept unknown hosts.
    • This will allow the message through to the MailMarshal engine, but the receiver writes the words "Not Verified" in the received: line of the header. It's possible to take advantage of this fact with an Engine rule.
      • The received line will look something like the following:

        Received: from mispammer.com (not verified[63.87.252.34]) by msatlexchange.us.atlanta.marshalsoftware.com with MailMarshal (4,2,5,0) id <BA000168c7>; Wed, 21 Aug 2002 00:53:15 -0400
    • Create a TextCensor script called "NotVerified" which triggers on the following entry (it will be necessary to tailor this string to the machine name of the local MailMarshal server):  received FOLLOWEDBY=7 not verified FOLLOWEDBY=8 msatlexchange.
      • Therefore for the local MailMarshal server, use: received FOLLOWEDBY=7 not verified FOLLOWEDBY=8 your_server_name
        Note: When creating the TextCensor script you will need to apply it to the Message Header. 
      • Create a user group called "Bad Ptr OK" which is to contain all the domains to be excluded from the Reverse pointer blocking.
      • Create a Standard rule like the following:

        When a message arrives
        Where message is incoming
            Except where addressed from 'Bad Ptr OK'
        Where message triggers text censor script(s) 'NotVerified'
        Move the message to 'Bad Pointer Lookup'

        The above rule will move any message with the "Not Verified" header entry to Quarantine, except for those messages coming from domains listed in Bad Ptr OK.
      • It is a good idea to apply the rules based pointer checks to webmail addresses only, such as yahoo.com and aol.com (the idea being that legitimate email from these sources should pass pointer checks.) 

        Create a Standard rule like the following:

        When a message arrives
        Where message is incoming
            Where addressed from 'WebMail Domains'
            Where message triggers text censor script(s) 'NotVerified'
        Move the message to 'Bad Pointer Lookup'

      This article was previously published as:
      NETIQKB34722

       

       

       

       

       

      To contact Trustwave about this article or to request support:

      Rate this Article:
           
      Tags:

      Add Your Comments


      Comment submission is disabled for anonymous users.
      Please send feedback to Trustwave Technical Support or the Webmaster      .


      Execution: 0.031. 8 queries. Compression Disabled.
      Powered by InstantKB.NET