MBF Knowledge Base

How to add a drilldown entry in Message Sniffer

The GBUdbIgnoreList.txt file does not understand CIDR or wildcards. That's because GBUdb doesn't understand them either - each GBUdb record represents exactly one IP address.

The drilldown feature allows GBUdb to automatically learn to ignore IPs as infrastructure by matching message source candidates in received headers with specific patterns.

The <drilldown> section of the configuration file contains a list of pattern definitions that describe received headers that will contain IPs that should be ignored. Each pattern is represented by a <received/> entry.

With the drilldown feature, you can Ignore IP Blocks and Ignore Friendly Servers by Reverse DNS.

If you want to ignore an entire block of IPs without making a specific entry for each one then an efficient way to do that is to add a drilldown entry using a partial IP pattern for the block of IPs you want to map as infrastructure. For example, if you want to ignore any message sources in the block 12.34.56.0/24 then you could create a drilldown entry like the following:

<received ordinal='0' find='[12.34.56.' />

The result would be that whenever a server delivers a message from that IP block, the top (ordinal 0) received header would contain that pattern and the IP from that received header would be automatically be added to the GBUdb with the Ignore flag.

Note that if the pattern is found in a different Received header nothing special will happen. This way forged Received headers containing the pattern won't have any effect (presuming the header directive is coded properly).