Mathew,

I put the DNS List into the BLACKLIST Sender Group. I did change the DNS settings a little bit, instead of using our Internal DNS it is now using the Root DNS Servers (that change was done this morning 4/30). I put in an override for our Internal DNS Servers.

I also setup a Sender Group without a SenderBase Reputation Score that has the DNS List as well and is set to Block as well.

Waiting to see what our Security Analyst see coming through email. A number of IP's they gave us were on block list, so that is why we are trying to use a block list to stop those from coming in.

We do have a group that has none checked. I am not sure if it is default or not, but it is the UNKNOWNLIST. See below:

Order) Sender Group - SenderBase Reputation Score - Mail Flow Policy - DNS List

1) WHITELIST - Not in Use - TRUSTED - None

2) DNSBL - Not in Use - BLOCKED - Spamhaus and Sorbs DNS List

3) BLACKLIST - -10 to -3.0 - BLOCKED - Spamhaus and Sorbs DNS List

4) SUSPECTLIST - -3.0 to -1.0 - THROTTLED - None

5) UNKNOWNLIST - -1.0 to 10 and None - ACCEPTED - None

Default) ALL - Not in Use - ACCEPTED - None

With this setup, I see the block list hitting on DNSBL (which is fine), but I also see blocks happening at BLACKLIST when it does have a SBRS and is not listed on the block list (this is also fine). If they aren't listed in the WHITELIST, then they are hitting on UNKNOWNLIST (and rarely on SUSPECTLIST). For the most part, the setup is default (except for the DNSBL), but I don't know if the None for SBRS in UNKNOWNLIST is default or if that is something that was added. I am guessing if I remove the SBRS None from UNKNOWNLIST, then it should hit on the default ALL Sender Group (I am guessing) if there is no SBRS correct? I guess I am not sure why having the SBRS None checked on a Sender Group that is later in the list will cause the block Sender Groups to be skipped if it matches an IP on the DNS List (unless it runs through the HAT multiple times).

I removed the SBRS None from the Unknown, but it still doesn't do DNS List Lookup on IP's that do not have a SBRS number with it. I just had one come in that is listed on Zen.Spamhaus.org (https://www.spamhaus.org/query/ip/23.254.159.227) and the Ironport let it through because of the SBRS None (see below).

Wed May 2 09:58:42 2018 Info: New SMTP ICID 3732932 interface Public (172.xxx.xxx.xxx) address 23.254.159.227 reverse dns host unknown verified no
Wed May 2 09:58:42 2018 Info: ICID 3732932 ACCEPT SG None match ALL SBRS None

As I mentioned before, if the SBRS is None then it does not check the DNS Lists. Last time I marked the BLACKLIST with SBRS None, most of the emails were hitting it. I believe it will be better now since I am using root DNS look ups, but it is still one or the other (either hitting SBRS None or has a SBRS and gets caught by the DNS List).

Yes, it is able to query the DNS List. I have seen emails blocked by the rules with the DNS List in it, but they had a SBRS number as well. Below is the DNS List I am using:

zen.spamhaus.org, nomail.rhsbl.sorbs.net, bl.spamcop.net, cbl.abuseat.org

Again, here is an example of one passing the DNS List in the BLACKLIST and DNSBL (Custom) HAT Sender Groups (WHITELIST is 1st, DNSBL is 2nd, and BLACKLIST is 3rd, details were posted in an earlier post).

Wed May 2 09:58:42 2018 Info: New SMTP ICID 3732932 interface Public (172.xxx.xxx.xxx) address 23.254.159.227 reverse dns host unknown verified no
Wed May 2 09:58:42 2018 Info: ICID 3732932 ACCEPT SG None match ALL SBRS None

And here is one that was blocked by DNSBL:

Wed May 2 09:57:08 2018 Info: New SMTP ICID 3732912 interface Public (172.xxx.xxx.xxx) address 31.172.89.144 reverse dns host unknown verified no
Wed May 2 09:57:08 2018 Info: ICID 3732912 REJECT SG DNSBL match dnslist[zen.spamhaus.org] SBRS -1.9

This is also a good example of the DNSBL rule I created as the SBRS is not in use in that rule, otherwise this would have been hit by the SUSPECTLIST (SBRS -3.0 to -1.0). Between the two logs, the issue is that the one that is passing the DNS List does not have a SBRS listed with the IP Address (not sure if it failed to get it or truly does not have one). According to Talos, it is poor so it should have a SBRS number. Talos also says it is on bl.spamcop.net. A check of sbl.spamhaus.org confirms it is also on it's list (even though Talos says it is not, and this is covered by the zen.spamhaus.org DNS List). I checked Talos for the one that did get caught and it had a poor score as well and listed in bl.spamcop.net (again, not listed in the sbl.spamhaus.org even though that is we caught it).

I can, but it will be a little bit before I can test. I did have the timeout set to 0, so I increased that to 20 (which I think is the default).

Where can I look up the SBRS? Talos just says Poor, Neutral, or Good.

Alright, I didn't know about that. Thank you.

I still see some coming in with SBRS of None (but the test you provided me returned a SBRS for the IP), but I did see one that said it had an SBRS of None and got caught in the DNSLIST filter (it was on zen.spamhaus.org BL).

As for the DNS, I haven't done a packet capture, but I did see this a lot in the Ironport System Logs (for different domains):

Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xc6\\xe2\\x80\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x03www\\ntradepress\\x03com\\x00\\x00\\x01\\x00\\x01'" to IP 216.136.95.12 looking up www.tradepress.com

I am not sure if that is normal or not, but I checked some of the IP Address where I got a SBRS None and I didn't see them in the list. I also checked it against one that was on the black list and got through on the 2nd with a SBRS of None, it was also not listed in the System Log.