Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
1
Helpful
3
Replies

HAT overview question.

Go to solution
Dustin Anderson
VIP
VIP

‎02-28-2024 12:25 PM - edited ‎02-28-2024 12:26 PM

So, I was told a while ago that if we make a whitelist and add servers, and set a SBRS score, that if either hit it would work.

We also have a blacklist that a server with -10 to -3 will get the connection dropped but I noticed it was not hitting when someone had added a sender into the list.

So, my question is: How is this determined, if both are set, do both have to match? Or, does the sender override any SBRS score setting in it and SBRS is now ignored?

 

 

Tue Feb 27 15:01:16 2024 Info: New SMTP ICID 116889427 interface DMZ49-6 (192.168.49.187) address 106.117.7.119 reverse dns host unknown verified no
Tue Feb 27 15:01:16 2024 Info: ICID 116889427 ACCEPT SG None match ALL SBRS -10.0 country China

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dustin Anderson
VIP
VIP

‎02-28-2024 02:24 PM

And I dug in more and realized they were hitting our .org, not .com so different rules/listener.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ken Stieers
VIP
VIP

‎02-28-2024 12:34 PM

IIRC it matches top down, first one wins (that's why there's an "edit order" button)
In a typical config -10 should have hit for the BLOCKED_LIST sender group before the ALL" sendergroup.
If the sending IP was in a SG above the BLOCKED_LIST sender group, it would hit first... but that doesn't look like what happened here...





________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Go to solution
Dustin Anderson
VIP
VIP
In response to Ken Stieers

‎02-28-2024 02:00 PM

Yeah, best I can figure is it use to hit if either SBRS or a sender was in the list. It use to work and I was able to trace the senders were probably added 9+ years ago, before my time. Best guess is it changed when we went to version 14 and still that way in 15. Explains why I really haven't had to whitelist people in a while like we use to.

 

I believe it's skipping the SBRS as we have a whitelist and I believe that hits even though it also has a setting for SBRS 6-10

If it's both need to hit I would expect the whitelist to have broken. I'll dig more but wanted to see if anyone know the exact processing.

Screenshot 2024-02-28 160024.jpg

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎02-28-2024 02:24 PM

And I dug in more and realized they were hitting our .org, not .com so different rules/listener.

0 Helpful
Customers Also Viewed These Support Documents