How do I use a Connection Policy (Receiver) rule to block mail from unwanted sources?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do I use a Connection Policy rule (Receiver rule) to block mail from unwanted sources?

Procedure:

A Connection Policy rule can be used to block mail from any specific domain or email address. Mail can also be blocked from specific User Groups.

  • Note: Blocking individual addresses is a losing strategy against spam in the long term. You are likely to accumulate a big list of addresses that are never used again.
    • Make sure you are current on all the spam layers available in SEG.
    • Report spam to Trustwave by any documented method.

Step 1 - Create a User Group.
This step is optional, but is the easiest way to block several users or domains.
Add the email addresses or domains that you want to block.
Your entries might look like this:

badperson@domain.com
spammingdomain.com
freestuff.com



Step 2 - Create a Connection Policy rule.
Within Connection Policy, create a new rule.
Choose "Where addressed from"
Choose the group to be blocked, or manually enter the email address or domain that you want to block.


I've set up a rule but it doesn't work!
It is very important to note that Connection Policy rules use the "Reply to:" field, and not the "From:" field as might be expected. The reason for this is that, in the initial SMTP conversation between the remote sending server and MailMarshal, only the "Mail From:" information is passed to MailMarshal. The SMTP "Mail From:" actually corresponds to the "Reply to:" address.

Sometimes, especially with spam, the "Reply to:" address will be different than the "From:" address. To establish what the "Reply to:" value actually is examine the problem mail closely in its raw format. View the message in the console. The Connection log tab provides all the information required. (For earlier versions of MailMarshal, you may need to locate the email message (.MML file) on disk and look for the "envelope" information at the bottom of the file.)

When blocking spam domains it is recommended that, once the "Reply to:" address is determined, follow this example.
The sender's "reply to:" address is listserv@server2.spammingdomain.com. Spammers frequently change their subdomain name so perhaps expect to see listserv@otherserver.spammingdomain.com. The easiest way to cover this possibility is to use a wildcard in the User Group entry. Create two entries as follows:

spammingdomain.com
*.spammingdomain.com


I don't know the "Reply to:" address. I don't have any emails to view.
To capture an email where the "reply to:" address is unknown, try setting up a temporary archive rule to copy all incoming mail to an archive folder. This does not affect the normal flow of mail.

Alternatively, look through the MailMarshal Receiver logs to locate any references to the email in question. Locate the original "Mail From:" address that MailMarshal received from the unwanted email source. This, as stated above, equates to the "Reply to:" address.

 

Notes:

Connection Policy rules are known as Receiver Rules in earlier versions. You may notice some differences in function and user interface.  However, the above ideas still apply.

This article was previously published as:
NETIQKB29186
Marshal KB132

Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10517.aspx