IPS Exclusion based on email sender address?

biskit · ‎2021-04-15

IPS has blocked an email. Here is the (anonymised) log entry. I need to allow this "dodgy" email but I only from the technologysupport@kXXXXX.com senders address. I don't want to just exclude that protection for everybody just so that one email account can send those emails. Is there a way?

Id:                           6703261e-65fe-23c7-6078-0aa800000021
Marker:                       @A@@B@1618474929@C@1371603
Log Server Origin:            172.21.1.201
Time:                         2021-04-15T09:43:04Z
Interface Direction:          inbound
Interface Name:               eth2.104
Id Generated By Indexer:      false
First:                        false
Sequencenum:                  15
Source:                       11.11.11.148
Attack Name:                  SMTP Protection Violation
Attack Information:           Suspicious Mail Attachment Containing JavaScript Code
Protection Name:              Suspicious Mail Attachment Containing JavaScript Code
Protection ID:                asm_dynamic_prop_JS_SMTP_ATTACH
Severity:                     Critical
Confidence Level:             Medium
Performance Impact:           Medium
Protection Type:              IPS
Description Url:              JS_SMTP_ATTACH_help.html
Threat Prevention Policy:     KXXXXXX
Threat Prevention Policy Date:2021-04-15T03:06:39Z
Source Port:                  13958
Destination:                  192.168.0.20
Destination Port:             25
IP Protocol:                  6
Session Identification Number:0x60780aa8,0x21,0x1e260367,0xc723fe65
Policy Rule UID:              7ca29d9b-d654-45f1-9b2f-f5fc470115ce
Threat Prevention Rule Id:    6063A9A0-85EC-4502-9F02-056E6032D9FA
Log ID:                       2
Destination Machine Name:     swrn20ex01@local.kXXXXX.com
Mime From:                    technologysupport@kXXXXX.com
Mime To:                      technologysupport@kXXXXX.com
Content Type:                 application/x-zip-compressed; name="ExportObject_BO.zip"
Subject:                      Message Stopped by Attachment Management (Inbound): Block Unknown Attachments
Suppressed Logs:              4
Sent Bytes:                   0
Received Bytes:               4576
Last Update Time:             2021-04-15T09:59:11Z
Action:                       Prevent
Packet Capture:               Packet Capture
Type:                         Alert
Policy Name:                  kXXXXX
Policy Management:            sldnfw01
Db Tag:                       {CB8EC3EC-A4DB-1D4D-A0F1-CAADDA4377EB}
Policy Date:                  2021-04-13T07:25:46Z
Blade:                        IPS
Origin:                       Firewall-A
Service:                      TCP/25
Product Family:               Threat
Access Rule Name:             Bypass Messagelabs
Interface:                    eth2.104
Description:                  Prevented suspicious mail attachment containing javascript code originating from 11.11.11.148 against 192.168.0.20
Packet Capture Unique Id:     11.11.11.148_maildir_sent_new_time1618479793.mail-3236757407-248259954.localhost, 11.11.11.148_maildir_sent_new_time1618479801.mail-1347609169-1106822874.localhost, 11.11.11.148_maildir_sent_new_time1618480699.mail-3701607784-950347637.localhost
Packet Capture Time:          1618479793, 1618479801, 1618480699
Packet Captures:              src-11.11.11.148.cap, src-11.11.11.148.cap, src-11.11.11.148.cap
Threat Profile:               KXXXXX_IPS
Bytes (sent\received):        0 B \ 4.5 KB

Timothy_Hall · ‎2021-04-16

I don't think you can get down to that level of granularity with an IPS exception; the best you could do is set up an exception for their MX 11.11.11.148 (and any other ones they have) and then specify the "Suspicious Mail Attachment Containing JavaScript Code" signature.

You can determine their inbound MX systems yourself as shown below; bear in mind these may not necessarily reflect what their outbound MX systems will be, but it is a good starting point:

# nslookup
Default Server: unknown
Address: 172.31.128.1

> set type=mx
> gmail.com
Server: unknown
Address: 172.31.128.1

Non-authoritative answer:
gmail.com MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com
gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com

alt1.gmail-smtp-in.l.google.com internet address = 173.194.77.26
alt2.gmail-smtp-in.l.google.com internet address = 173.194.219.27
gmail-smtp-in.l.google.com AAAA IPv6 address = 2607:f8b0:4001:c16::1b
alt3.gmail-smtp-in.l.google.com internet address = 172.217.197.27

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Are you a member of CheckMates?

IPS Exclusion based on email sender address?