04-27-2018 09:12 AM - edited 03-08-2019 07:36 PM
I am trying to setup DNS Lists to do a DNS Blocklist in Ironport. An issue I keep running into is some of the IP's that are on the DNS Blocklist keep coming up with "sbrs[none] SBRS None". It appears that it is one or the other with the SBRS and DNS List (meaning either match the SBRS or the DNS List), so if it doesn't have a SBRS then it will not do the DNS Blocklist check and ends up hitting UNKNOWNLIST (which has a check box checked for None under SBRS). If I check that under the BLACKLIST, or a new one I created without any SBRS numbers listed, it will block all of the SBRS None without even checking it against the Blocklist. Is there a way to force the Ironport to check the DNS List and continue to the next rule if it is on listed even if the site has a SBRS of None?
We are running a C100V on Version 10.0.3-004. DNS are internal and looking at Root DNS Servers.
Solved! Go to Solution.
04-30-2018 08:22 PM
Hey Kbrown.it,
How is that setup working for you at the moment?
Logically if the sender is matching the DNS list and SBRS has no score (or has [none]) and there's no sendergroup which you had ticked the 'match if none' then it should fall into the DNS list sendergroup.
Regards,
Mathew
05-01-2018 03:47 PM
05-03-2018 03:48 PM
04-27-2018 09:58 AM
An example is IP Address 151.106.29.231. Below is what I see in mail.current:
Fri Apr 27 11:11:09 2018 Info: New SMTP ICID 3710080 interface Public (172.30.XXX.XXX) address 151.106.29.231 reverse dns host unknown verified no
Fri Apr 27 11:11:09 2018 Info: ICID 3710080 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS None
Looking in Talos, it has a poor Email Reputation (https://www.talosintelligence.com/reputation_center/lookup?search=151.106.29.231). If you look at the Blacklists, you see it says Not Listed next to sbl.spamhaus.org (in my DNS List, I am using zen.spamhaus which checks sbl, pbl, and xbl all in one list). When you click the link for sbl.spamhaus.org, it says the IP is listed in sbl (https://www.spamhaus.org/query/ip/151.106.29.231).
I am not sure what log to look at to see if I have issues with DNS lookup.
04-27-2018 05:17 PM
04-30-2018 07:59 AM - edited 04-30-2018 08:08 AM
Mathew,
I put the DNS List into the BLACKLIST Sender Group. I did change the DNS settings a little bit, instead of using our Internal DNS it is now using the Root DNS Servers (that change was done this morning 4/30). I put in an override for our Internal DNS Servers.
I also setup a Sender Group without a SenderBase Reputation Score that has the DNS List as well and is set to Block as well.
04-30-2018 08:22 PM
Hey Kbrown.it,
How is that setup working for you at the moment?
Logically if the sender is matching the DNS list and SBRS has no score (or has [none]) and there's no sendergroup which you had ticked the 'match if none' then it should fall into the DNS list sendergroup.
Regards,
Mathew
05-01-2018 06:12 AM
Waiting to see what our Security Analyst see coming through email. A number of IP's they gave us were on block list, so that is why we are trying to use a block list to stop those from coming in.
We do have a group that has none checked. I am not sure if it is default or not, but it is the UNKNOWNLIST. See below:
Order) Sender Group - SenderBase Reputation Score - Mail Flow Policy - DNS List
1) WHITELIST - Not in Use - TRUSTED - None
2) DNSBL - Not in Use - BLOCKED - Spamhaus and Sorbs DNS List
3) BLACKLIST - -10 to -3.0 - BLOCKED - Spamhaus and Sorbs DNS List
4) SUSPECTLIST - -3.0 to -1.0 - THROTTLED - None
5) UNKNOWNLIST - -1.0 to 10 and None - ACCEPTED - None
Default) ALL - Not in Use - ACCEPTED - None
With this setup, I see the block list hitting on DNSBL (which is fine), but I also see blocks happening at BLACKLIST when it does have a SBRS and is not listed on the block list (this is also fine). If they aren't listed in the WHITELIST, then they are hitting on UNKNOWNLIST (and rarely on SUSPECTLIST). For the most part, the setup is default (except for the DNSBL), but I don't know if the None for SBRS in UNKNOWNLIST is default or if that is something that was added. I am guessing if I remove the SBRS None from UNKNOWNLIST, then it should hit on the default ALL Sender Group (I am guessing) if there is no SBRS correct? I guess I am not sure why having the SBRS None checked on a Sender Group that is later in the list will cause the block Sender Groups to be skipped if it matches an IP on the DNS List (unless it runs through the HAT multiple times).
05-01-2018 03:47 PM
05-02-2018 10:43 AM
I removed the SBRS None from the Unknown, but it still doesn't do DNS List Lookup on IP's that do not have a SBRS number with it. I just had one come in that is listed on Zen.Spamhaus.org (https://www.spamhaus.org/query/ip/23.254.159.227) and the Ironport let it through because of the SBRS None (see below).
Wed May 2 09:58:42 2018 Info: New SMTP ICID 3732932 interface Public (172.xxx.xxx.xxx) address 23.254.159.227 reverse dns host unknown verified no
Wed May 2 09:58:42 2018 Info: ICID 3732932 ACCEPT SG None match ALL SBRS None
As I mentioned before, if the SBRS is None then it does not check the DNS Lists. Last time I marked the BLACKLIST with SBRS None, most of the emails were hitting it. I believe it will be better now since I am using root DNS look ups, but it is still one or the other (either hitting SBRS None or has a SBRS and gets caught by the DNS List).
05-02-2018 03:43 PM
05-03-2018 05:33 AM - edited 05-03-2018 05:37 AM
Yes, it is able to query the DNS List. I have seen emails blocked by the rules with the DNS List in it, but they had a SBRS number as well. Below is the DNS List I am using:
zen.spamhaus.org, nomail.rhsbl.sorbs.net, bl.spamcop.net, cbl.abuseat.org
Again, here is an example of one passing the DNS List in the BLACKLIST and DNSBL (Custom) HAT Sender Groups (WHITELIST is 1st, DNSBL is 2nd, and BLACKLIST is 3rd, details were posted in an earlier post).
Wed May 2 09:58:42 2018 Info: New SMTP ICID 3732932 interface Public (172.xxx.xxx.xxx) address 23.254.159.227 reverse dns host unknown verified no
Wed May 2 09:58:42 2018 Info: ICID 3732932 ACCEPT SG None match ALL SBRS None
And here is one that was blocked by DNSBL:
Wed May 2 09:57:08 2018 Info: New SMTP ICID 3732912 interface Public (172.xxx.xxx.xxx) address 31.172.89.144 reverse dns host unknown verified no
Wed May 2 09:57:08 2018 Info: ICID 3732912 REJECT SG DNSBL match dnslist[zen.spamhaus.org] SBRS -1.9
This is also a good example of the DNSBL rule I created as the SBRS is not in use in that rule, otherwise this would have been hit by the SUSPECTLIST (SBRS -3.0 to -1.0). Between the two logs, the issue is that the one that is passing the DNS List does not have a SBRS listed with the IP Address (not sure if it failed to get it or truly does not have one). According to Talos, it is poor so it should have a SBRS number. Talos also says it is on bl.spamcop.net. A check of sbl.spamhaus.org confirms it is also on it's list (even though Talos says it is not, and this is covered by the zen.spamhaus.org DNS List). I checked Talos for the one that did get caught and it had a poor score as well and listed in bl.spamcop.net (again, not listed in the sbl.spamhaus.org even though that is we caught it).
05-03-2018 03:48 PM
05-03-2018 03:55 PM
I can, but it will be a little bit before I can test. I did have the timeout set to 0, so I increased that to 20 (which I think is the default).
Where can I look up the SBRS? Talos just says Poor, Neutral, or Good.
05-03-2018 04:08 PM
05-07-2018 08:15 AM
Alright, I didn't know about that. Thank you.
I still see some coming in with SBRS of None (but the test you provided me returned a SBRS for the IP), but I did see one that said it had an SBRS of None and got caught in the DNSLIST filter (it was on zen.spamhaus.org BL).
As for the DNS, I haven't done a packet capture, but I did see this a lot in the Ironport System Logs (for different domains):
Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xc6\\xe2\\x80\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x03www\\ntradepress\\x03com\\x00\\x00\\x01\\x00\\x01'" to IP 216.136.95.12 looking up www.tradepress.com
I am not sure if that is normal or not, but I checked some of the IP Address where I got a SBRS None and I didn't see them in the list. I also checked it against one that was on the black list and got through on the 2nd with a SBRS of None, it was also not listed in the System Log.
05-07-2018 09:50 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide