How do I block Out of Office Assistant (OOA) messages sent to a mail server that holds the messages for a time before sending an NDR back to the internal mail server?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do I block Out of Office Assistant (OOA) messages sent to a mail server that holds the messages for a time before sending an NDR back to the internal mail server?

Procedure:

Before proceeding with the following you will need to have analyzed the message (.mml) in question for unique text that you can search for in the body.  It can be different from environment to environment, but in the following example we knew what the Helo Name of our internal mail server was and what the subject of an email that was sent out by the OOA was.  We also knew that if it had both of these in the Message Body and/or the Message Text then we would know that we could block only these types of NDRs.

  • Unique Helo Name = test.example.com
  • Unique text in the subject line = subject: out of office autoreply:
  1. Create the new TexCensor script called Block OOA NDRs.
    • The TC script needs to search the MsgBody and Attachments only.
    • The following line item needs to be added to the TC script:
      • Unique Helo Name AND Unique Text in the Subject line:
        • Example: "test.example.com AND subject: out of office autoreply:"
        • Weighting = 5
        • Weighting type = once only
  2. Create a new Content Analysis rule to use the TextCensor script.
    • Initially, you will want to monitor the OOA NDRs folder to be sure that it is capturing the intended problem emails.

Example:
Rule: Block OOA NDRs
When a message arrives
Where message is incoming
Where message triggers text censor script(s) 'Block OOA NDRs'
Move the message to 'OOA NDRs'

This article was previously published as:
NETIQKB37658

Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10224.aspx