Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPS Exclusion based on email sender address?

IPS has blocked an email.  Here is the (anonymised) log entry.  I need to allow this "dodgy" email but I only from the senders address.  I don't want to just exclude that protection for everybody just so that one email account can send those emails.  Is there a way?



Id:                           6703261e-65fe-23c7-6078-0aa800000021
Marker:                       @A@@B@1618474929@C@1371603
Log Server Origin:  
Time:                         2021-04-15T09:43:04Z
Interface Direction:          inbound
Interface Name:               eth2.104
Id Generated By Indexer:      false
First:                        false
Sequencenum:                  15
Attack Name:                  SMTP Protection Violation
Attack Information:           Suspicious Mail Attachment Containing JavaScript Code
Protection Name:              Suspicious Mail Attachment Containing JavaScript Code
Protection ID:                asm_dynamic_prop_JS_SMTP_ATTACH
Severity:                     Critical
Confidence Level:             Medium
Performance Impact:           Medium
Protection Type:              IPS
Description Url:              JS_SMTP_ATTACH_help.html
Threat Prevention Policy:     KXXXXXX
Threat Prevention Policy Date:2021-04-15T03:06:39Z
Source Port:                  13958
Destination Port:             25
IP Protocol:                  6
Session Identification Number:0x60780aa8,0x21,0x1e260367,0xc723fe65
Policy Rule UID:              7ca29d9b-d654-45f1-9b2f-f5fc470115ce
Threat Prevention Rule Id:    6063A9A0-85EC-4502-9F02-056E6032D9FA
Log ID:                       2
Destination Machine Name:
Mime From:          
Mime To:            
Content Type:                 application/x-zip-compressed; name=""
Subject:                      Message Stopped by Attachment Management (Inbound): Block Unknown Attachments
Suppressed Logs:              4
Sent Bytes:                   0
Received Bytes:               4576
Last Update Time:             2021-04-15T09:59:11Z
Action:                       Prevent
Packet Capture:               Packet Capture
Type:                         Alert
Policy Name:                  kXXXXX
Policy Management:            sldnfw01
Db Tag:                       {CB8EC3EC-A4DB-1D4D-A0F1-CAADDA4377EB}
Policy Date:                  2021-04-13T07:25:46Z
Blade:                        IPS
Origin:                       Firewall-A
Service:                      TCP/25
Product Family:               Threat
Access Rule Name:             Bypass Messagelabs
Interface:                    eth2.104
Description:                  Prevented suspicious mail attachment containing javascript code originating from against
Packet Capture Unique Id:,,
Packet Capture Time:          1618479793, 1618479801, 1618480699
Packet Captures:              src-, src-, src-
Threat Profile:               KXXXXX_IPS
Bytes (sent\received):        0 B \ 4.5 KB



0 Kudos
1 Reply

I don't think you can get down to that level of granularity with an IPS exception; the best you could do is set up an exception for their MX (and any other ones they have) and then specify the "Suspicious Mail Attachment Containing JavaScript Code" signature.

You can determine their inbound MX systems yourself as shown below; bear in mind these may not necessarily reflect what their outbound MX systems will be, but it is a good starting point:

# nslookup
Default Server: unknown

> set type=mx
Server: unknown

Non-authoritative answer: MX preference = 40, mail exchanger = MX preference = 10, mail exchanger = MX preference = 20, mail exchanger = MX preference = 5, mail exchanger = MX preference = 30, mail exchanger = internet address = internet address = AAAA IPv6 address = 2607:f8b0:4001:c16::1b internet address =

"Max Capture: Know Your Packets" Video Series
now available at
0 Kudos