Solved

Cisco Ironport ESA Not Showing From Header in Message Tracking Logs

Posted on 2014-09-05
3
1,313 Views
Last Modified: 2014-12-18
I have a Cisco Ironport C370 Appliance, ASync OS version 7.6.3-019, I noticed in the Message Tracking Details logs, that there is no From field in the message header.  Instead there is "Envelope Sender".  The issue we are seeing is if a recipient in our Exchange 2010 environment receives certain e-mails, they contain a From header, and will show one e-mail address.  For example bob@abccompany.com.  However, in some cases, I see that the message tracking details do not contain any reference to the bob@abccompany.com e-mail address, instead they are showing a completely different e-mail domain under the Envelope Sender.  This is especially the case when some automated systems/mailing companies are used to send e-mail.

The problem is, user's report to us that they aren't receiving e-mail from bob@abccompany.com, yet when we search the message tracking logs for bob@abccompany.com, it yields no results.  So we are not able to effectively troubleshoot, add domain exclusions for abccompany.com.

Any ideas if this is by design on the Cisco Ironport ESA appliances?  How can we get around this issue?  Is there any way to display the From header?

Thank you in advance.
0
Comment
Question by:fireguy1125
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40307486
Seeing NDR msg is another hint on mail delivery which caused an empty envelope sender address https://supportforums.cisco.com/discussion/12127601/envelope-sender-no-sender

Here is one means using grep to locate the original senders IP (instead of email address), of course provided it exists. May want to have another try to searching for the sender, the recipient or for the Subject. https://supportforums.cisco.com/discussion/11227366/finding-sender

IronPort mail log events are given acronyms. The most important  events are ICID (Injection  Connection ID) > MID  (Message ID) > RID  (Recipient ID) > DCID (Delivery Connection ID). Some note:
-An ‘ICID 0’ defines a message that was that  was injected from itself. In fact, the numeral 0 after an ICID or DCID  refers to sessions open to or from the local loop address of the device.
-A ‘DCID 0’ defines a message that was never sent out. In fact, the  numeral 0 after an ICID or DCID refers to sessions open to or from the  local loop address of the device

For exchange can try export log into csv and find as well - searching for sender and clientip
http://blogs.technet.com/b/exchange/archive/2008/12/01/3406581.aspx

Also there is a quite similar case but mainly is to check the email client view, rule etc and also
Check that GAL has the correct email address
Check that their personal COntact List has the correct email address
Check that the user and or AutoComplete has the correct users Email Address.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27584172.html
0
 
LVL 1

Author Comment

by:fireguy1125
ID: 40351414
I'm not seeing in your reply how I can have Ironport log the "From" field, if it is even possible?
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40351487
Based on extract there is "From" and wondering if this the one instead https://supportforums.cisco.com/discussion/11227366/finding-sender
MID  (Message ID): Once a connection is established, each successful SMTP  "mail from:" command creates a new MID. A single MID can spawn many RIDs

Do you want to paginate the output? [N]>

Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394
Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example10.com>
Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To:
<nasir@example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID
'<4o8836$30@mail.example.com>'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from
<bob@example10.com>
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question