Choose from several options for complete web, email and data security.
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security.
If someone attempts to send an email to our Protected Domain using a From: email address in our Protected Domain, the connection is blocked and an "SMTP auth required" entry shows up in the Connection Log along with just the source IP address.
The Connection Log in the ESG v7.6.2 does not have enough information to figure out what happened nor is it filterable or searchable for that response. This could either be a legitimate email coming in from a vendor that changed their IP address or someone trying to spoof our internal domain with a malicious email. You literally have to look at every single log entry and there are tens of thousands a day. Exporting the Connection Log does not give the reason for the block; that's why you have to look at each line.
If the Connection Log had sortable columns it would make this a bit easier but without the Reason being part of the table it is still too time-consuming to do.
A queue and a report would be best because we could look at the entire email to see what the sender is trying to do. Being able to see the From: address would be a big help.
Even just adding the Reason to the Connection Log table and making the columns sortable would help a lot.
Thanks for listening,
Websense support gave me a workaround. You can search the Connection Log for phrases "in the bubble". When the NDR is received, it says "SMTP authentication required". When you look in the bubble next to the Blocked message, it says "user authentication failed". So you can search the Connection Log for the word "authentication" and it finds what I was looking for.
For example, you can also search for "relay" and it will find source IPs trying to use you as an open relay.