Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2828
Views
0
Helpful
3
Replies

FQDN Added to Blacklist still not blocked...

Go to solution
mdube
Level 1
Level 1

‎04-09-2010 08:35 AM

Hello,

I'm adding FQDN in the Blacklist and users are still receiving emails from those FQDN...

For example, I've blocked organisationdutravail.com last week, but here is the message tracking from this week :

Results
Displaying 1 — 16 of 16 items.

1 08 Apr 2010 14:20 (GMT -04:00)  MID: 19670     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19670 to ****REMOVED****  received remote SMTP response '... 

2 08 Apr 2010 14:17 (GMT -04:00)  MID: 19666     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19666 to ****REMOVED****  received remote SMTP response 'ok:... 

3 08 Apr 2010 14:17 (GMT -04:00)  MID: 19665     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19665 to ****REMOVED****  received remote SMTP response '... 

4 08 Apr 2010 14:17 (GMT -04:00)  MID: 19664     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19664 to ****REMOVED****  received remote SMTP response '2.6....

And here is the full tracking of one of those emails :

08 Apr 2010 14:20:20 (GMT -04:00)  Protocol SMTP interface IncomingIP (IP ****REMOVED****) on incoming connection (ICID 175563) from sender IP 205.237.40.104. Reverse DNS host 40-104.cgocable.ca verified no. 
08 Apr 2010 14:20:20 (GMT -04:00)  (ICID 175563) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.8 
08 Apr 2010 14:20:20 (GMT -04:00)  Start message 19670 on incoming connection (ICID 175563). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 enqueued on incoming connection (ICID 175563) from fichiers@organisationdutravail.com
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 on incoming connection (ICID 175563) added recipient (****REMOVED****). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 contains message ID header '<6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com>'
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 original subject on injection: Connaitre les nouvelles procedures aux douanes 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 (18352 bytes) from fichiers@organisationdutravail.com ready. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 matched per-recipient policy DEFAULT for inbound mail policies. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 encountered CASE down (1/10). Retry scanning in 12 seconds. 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Interim verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 queued for delivery. 
08 Apr 2010 14:20:38 (GMT -04:00)  SMTP delivery connection (DCID 10816) opened from IronPort interface ****REMOVED**** to IP address ****REMOVED**** on port 25. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery started for message 19670 to ****REMOVED****. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery details: Message 19670 sent to ****REMOVED****
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 to ****REMOVED**** received remote SMTP response '2.6.0 <6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com> Queued mail for delivery'.

We can see that the address is considered as an UNKNOWN sender and not a BLACKLIST... What's up with that?

Thanks for you help!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dzavasni
Level 1
Level 1

‎04-09-2010 08:57 AM

Looks like you're receiving communication from a different server:

organisationdutravail.com's MX records point to:


organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.
organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.

who's IP's point to:

q1.netfirms.com.        1551    IN      A       70.35.17.139
q1.netfirms.com.        1551    IN      A       70.35.17.171
q1.netfirms.com.        1551    IN      A       70.35.17.203
q1.netfirms.com.        1551    IN      A       70.35.17.235
q1.netfirms.com.        1551    IN      A       70.35.17.11
q1.netfirms.com.        1551    IN      A       70.35.17.43
q1.netfirms.com.        1551    IN      A       70.35.17.75
q1.netfirms.com.        1551    IN      A       70.35.17.107


However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dzavasni
Level 1
Level 1

‎04-09-2010 08:57 AM

Looks like you're receiving communication from a different server:

organisationdutravail.com's MX records point to:


organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.
organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.

who's IP's point to:

q1.netfirms.com.        1551    IN      A       70.35.17.139
q1.netfirms.com.        1551    IN      A       70.35.17.171
q1.netfirms.com.        1551    IN      A       70.35.17.203
q1.netfirms.com.        1551    IN      A       70.35.17.235
q1.netfirms.com.        1551    IN      A       70.35.17.11
q1.netfirms.com.        1551    IN      A       70.35.17.43
q1.netfirms.com.        1551    IN      A       70.35.17.75
q1.netfirms.com.        1551    IN      A       70.35.17.107


However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN
0 Helpful

Go to solution
mdube
Level 1
Level 1
In response to dzavasni

‎04-09-2010 11:07 AM

You are right, shame on me for not having looked at the IPs before posting...

Thanks a lot!

0 Helpful

Go to solution
dzavasni
Level 1
Level 1
In response to mdube

‎04-09-2010 01:26 PM

No problem. Glad to help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents