How do I bypass the PTR lookup for specific hosts?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do I bypass the PTR lookup for specific hosts?

Procedure:

Currently there is no method to set up exclusions directly from the Host Validation tab. However, there is a workaround. Rules-based Reverse Pointer lookups are probably at their most powerful and accurate if targeted specifically at email from yahoo, hotmail, or other service providers. Spammers frequently spoof these domains, while sending from servers that fail DNS lookups. Legitimate mail from these domains should not fail reverse PTR lookups.

Caution: PTR lookups should be used with care. Many legitimate servers do not have correctly configured PTR records.

  1. Enable Validate connecting hosts in the DNS and select Accept unknown hosts.
    • This will allow the message through to the MailMarshal engine, but the receiver writes the words "Not Verified" in the received: line of the header. It's possible to take advantage of this fact with an Engine rule.
      • The received line will look something like the following:

        Received: from mispammer.com (not verified[63.87.252.34]) by msatlexchange.us.atlanta.marshalsoftware.com with MailMarshal (4,2,5,0) id <BA000168c7>; Wed, 21 Aug 2002 00:53:15 -0400
    • Create a TextCensor script called "NotVerified" which triggers on the following entry (it will be necessary to tailor this string to the machine name of the local MailMarshal server):  received FOLLOWEDBY=7 not verified FOLLOWEDBY=8 msatlexchange.
      • Therefore for the local MailMarshal server, use: received FOLLOWEDBY=7 not verified FOLLOWEDBY=8 your_server_name
        Note: When creating the TextCensor script you will need to apply it to the Message Header. 
      • Create a user group called "Bad Ptr OK" which is to contain all the domains to be excluded from the Reverse pointer blocking.
      • Create a Standard rule like the following:

        When a message arrives
        Where message is incoming
            Except where addressed from 'Bad Ptr OK'
        Where message triggers text censor script(s) 'NotVerified'
        Move the message to 'Bad Pointer Lookup'

        The above rule will move any message with the "Not Verified" header entry to Quarantine, except for those messages coming from domains listed in Bad Ptr OK.
      • It is a good idea to apply the rules based pointer checks to webmail addresses only, such as yahoo.com and aol.com (the idea being that legitimate email from these sources should pass pointer checks.) 

        Create a Standard rule like the following:

        When a message arrives
        Where message is incoming
            Where addressed from 'WebMail Domains'
            Where message triggers text censor script(s) 'NotVerified'
        Move the message to 'Bad Pointer Lookup'

      This article was previously published as:
      NETIQKB34722

       

       

       

       

       

      Last Modified 5/1/2020.
      https://support.trustwave.com/kb/KnowledgebaseArticle10316.aspx