Messaging Gateway

Hi,

Can anybody help with a problem with the BATV test failing on our Brightmail system when a mail is received from a Microsoft Exchange distribution list? It is almost as if the distribution list is Replying to the list members rather than forwarding to list members but I don't know what to tell the guy to check as I'm not familiar with Exchange.

Alternatively does anyone know how to disable BATV tests on Brightmail for just one domain?

Many thanks in advance,

Derek

Hi Derek,

Is this Exchange 2007 or later? I know Microsoft is now following an RFC standard:
http://www.rfc-editor.org/rfc/rfc3798.txt

Basically all Message Disposition Notifications will use a "Null Sender" , could you please confirm if you see a "Null Sender" being used as the mail from in this case?

If that is the case, you will have to change the default BATV rule from Reject to "Deliver message normally" and probably deal with the verification with content filtering policies.

I would also recommend you to open a support case to further troubleshoot if that is the case.

Thank you,
Marco Bicca

Hi Mark,

They are using Exchange 2007 but I cant see Null Sender in the headers. This is a typical example of the headers I see in the Brightmail spam filter.

Received: from 194.73.96.56 by Spam Quarantine mta.bull.co.uk (194.73.96.56) ; Mon Feb 14 13:52:50 GMT 2011
X-auditid: c2496038-b7cdeae00000447d-53-4d5926a91457
Received: from ns1.bull.co.uk (ns1.bull.co.uk [194.73.96.50]) by mta.bull.co.uk (Symantec Mail Security) with SMTP id 34.F0.17533.9A6295D4; Mon, 14 Feb 2011 12:57:14 +0000 (GMT)
X-batvresult: fail
Received: from bmbcsweeper.barnsley.gov.uk (mailhost.barnsley.gov.uk [195.188.250.66]) by ns1.bull.co.uk (8.13.8/8.13.8) with ESMTP id p1ECvDhu001702; Mon, 14 Feb 2011 12:57:13 GMT
Received: from bmbcexchca.bmbcntd.barnsley.gov.uk (unverified) by bmbcsweeper.barnsley.gov.uk (Clearswift SMTPRS 5.4.0) with ESMTP id <T9b30a7c680ac16000c1614@bmbcsweeper.barnsley.gov.uk>; Mon, 14 Feb 2011 12:57:12 +0000
Received: from bmbcexch0.bmbcntd.barnsley.gov.uk ([128.1.5.21]) by bmbcexchca.bmbcntd.barnsley.gov.uk ([128.1.5.85]) with mapi; Mon, 14 Feb 2011 12:57:13 +0000
Thread-topic: test
Thread-index: AcvMRrIY1B9O9r8EQI+y+Pj0RirjQg==
Message-id: <18F7E79873EB57429721F0BCEB98299BF1E217B00D@bmbcexch0.bmbcntd.barnsley.gov.uk>
Accept-language: en-US, en-GB
Content-language: en-US
X-ms-has-attach: 
X-ms-tnef-correlator: 
Acceptlanguage: en-US, en-GB
Content-type: multipart/alternative; boundary="_000_18F7E79873EB57429721F0BCEB98299BF1E217B00Dbmbcexch0bmbc_"
Mime-version: 1.0
X-auto-response-suppress: DR, RN, NRN, OOF, AutoReply
X-bmi-source: external
X-brightmail-tracker: AAAAAQAAAAQ=
From: "Armitage , Rachel" <Rachel.Armitage@BullTCL.co.uk>
To: TCLManagement <TCLManagement@BullTCL.co.uk>
Date: Monday, Feb 14, 2011 12:57:12 PM GMT
Subject: [BOUNCE ATTACK] test

I have added the sender domain to our Good Senders but the Backscatter test still seems to get applied to them regardless. We may also have set up the backscatter protection incorrectly so if you can spot anything we have done wrong it would be greatly appreciated.

Many thanks.

Best Regards,

Derek

Hi Derek,

To properly use BATV you must have all Outbound traffic going through SBG, that way the signature is added.

So, my questions are:

1) Are these messages going from your domain to an external domain and coming back?
2) Did you configure the batv seed under the Control Center , certificates page?

Yes, good senders list will not help with BATV failed results, the only way to change the BATV action would be changing its default action from Reject to something else. Some people change that to "Deliver message normally" and then treat the results later with content policies looking for the header X-BATVResult = fail and some other conditions.

Thank you,
Marco

Hi Marco,

Yes to both questions. All our mails go outbound via SBG and we can get replies OK. The problem here is that this is not a reply. This is a new mail by the customer being sent from an Exchange Distribution List. I don't understand why Brightmail sees a new mail as a reply and hence checks for the prvs tag, I thought it would only check for a prvs tag on genuine replies.

Nevertheless I can change the default action easily to Deliver Normally and do content filtering but is Content Filtering ignored for Good Senders? If not then I don't see how this will help unless I can do conditional content filtering and say "if sender is good then delivery normally else hold in quarantine"

So the question now is

Does content filtering take place for Good Senders?

If not can I do conditional content filtering?

Many thanks once again for your help on this.

Best Regards,

Derek

Hi Derek,

Sorry for the delay.

Yes, we will still do content filtering, Good Senders will only bypass SPAM, unless you edit the Good Sender actions to bypass one specific content filtering policy or ALL.

The BATV check occurs way before content filtering so you will have to probably change that action from Reject so something else then yes, you can do conditional filtering, BATV will add a header X-BATVResult with the result on every message so you can create some conditions around that.

Thank you,
Marco Bicca