Connection to Earthlink mail servers blocked by Snort

Stephen Carville — Fri, 20 Dec 2019 17:19:48 GMT

I received a complaint from a user who cannot send from his corporate email account to his Earthlink mail account. After tracing all the steps where a connection could be blocked, I isolated it to the firepower. Apparently Snort believes the server as a bad reputation.

I checked a few IPs on Talos and they are (or were) definitely blacklisted. EG:

https://talosintelligence.com/reputation_center/lookup?search=207.69.189.229

Interestingly enough, if I check by the corresponding machine name, it comes back as trusted.

https://talosintelligence.com/reputation_center/lookup?search=mx6.earthlink.net

This is a new one on me. Is this a Cisco or Earthlink problem and is there a way to whitelist just the relevant MX IPs?

Sample Trace

-- packet-tracer input DMZ-INT tcp 198.204.112.74 54321 207.69.189.229 25)

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 198.204.115.1 using egress ifc OUTSIDE-INT

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc DMZ-INT object-group mta-dmz any4 eq smtp rule-id 268435642
access-list CSM_FW_ACL_ remark rule-id 268435642: ACCESS POLICY: RR-CO-AC - Default
access-list CSM_FW_ACL_ remark rule-id 268435642: L7 RULE: acl_dmz1#64
object-group network mta-dmz
description: MTAs in the DMZ
network-object 198.204.112.74 255.255.255.255
network-object 172.21.6.10 255.255.255.255
network-object 198.204.112.91 255.255.255.255
network-object 172.21.6.72 255.255.255.255
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-198.204.112.0
nat (DMZ-INT,OUTSIDE-INT) static obj-198.204.112.0
Additional Information:
Static translate 198.204.112.74/54321 to 198.204.112.74/54321

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 619176969, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 580167530
Session: new snort session
Reputation: packet blacklisted, drop
Snort: processed decoder alerts or actions queue, drop
Snort detect_sdrop: gid 136, sid 1, drop
Snort id 5, NAP id 2, IPS id 0, Verdict BLACKLIST, Blocked by SI/Reputation
Snort Verdict: (black-list) black list this flow

Result:
input-interface: DMZ-INT
input-status: up
input-line-status: up
output-interface: OUTSIDE-INT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (reputation) Blocked or blacklisted by the reputation preprocessor

Re: Connection to Earthlink mail servers blocked by Snort

nspasov — Tue, 24 Dec 2019 20:01:44 GMT

There a few things to mention here:

You can always submit a dispute directly from the TALOS page
I checked that IP in both Umbrella Investigate and VirtusTotal and both are reporting several malware samples associated with it:
- Virus Total:
  - https://www.virustotal.com/gui/ip-address/207.69.189.229/details
- Umbrella Investigate:
  - I cannot post a link since you need an account with Umbrella investigate. So, if you have one feel free to do the search
This particular IP appears to be assigned to Roswell High School. Thus, the issue is not with the Service Provider but the actual consumer of the IP.

I hope this helps!

Thank you for rating helpful posts!

Re: Connection to Earthlink mail servers blocked by Snort

Stephen Carville — Thu, 26 Dec 2019 22:09:45 GMT

I checked Umbrella and it verified the MX IPs have been associated with malware recently so it looks like the blacklisting was justified. However, it seems to be lifted -- at least for the time being -- so the user can send emails normally.

The bit about Roswell High School is a little weird. I wonder if it is just a joke.

Anyway, thanks for the help.

Re: Connection to Earthlink mail servers blocked by Snort

nspasov — Fri, 27 Dec 2019 04:34:10 GMT

I was simply relying on the info from ARIN which shows Roswell High School as the owner of the IP with registration dating back to 1999. I suppose the info could be wrong but I have no better methods/tools that are free to check this 🙂

https://rdap.arin.net/registry/ip/207.69.189.224

Thank you for rating helpful posts!

topic Re: Connection to Earthlink mail servers blocked by Snort in Network Security

Connection to Earthlink mail servers blocked by Snort

Re: Connection to Earthlink mail servers blocked by Snort

Re: Connection to Earthlink mail servers blocked by Snort

Re: Connection to Earthlink mail servers blocked by Snort