cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5078
Views
0
Helpful
7
Replies

How does CISCO IronPort email security handle Blacklisted domains - ex: chickenkiller.com

In the following DNS request traffic flow, instead of blocking the DNS request for a known Blacklisted domain (chickenKiller.com), can you explain why IronPort passed the DNS request to the Internal DNS server?

Source: IronPort Internet Interface, Destination: Internal-DNS.<snip>.COM
Source: Internal-DNS.<snip>.COM, Destination: 50.23.197.95:53 (ns1.afraid.org)
Source: Internal-DNS.<snip>.COM, Destination: 192.55.83.30:53 (m.gtld-servers.net)

Thank you in advance

2 Accepted Solutions

Accepted Solutions

Libin Varghese
Cisco Employee
Cisco Employee

Hi Faisal,

The ESA performs DNS lookups for each connecting IP as below.

DNS sender verification verifies the sending IP address by performing a reverse lookup for the domain of that IP address first.


It then compares the IP address in the A record of that domain (Forward Resolve) to the IP that is trying to inject the message again.

In case the two addresses do not match, this will result in the "verified no" message.

You can check the reputation of the sending server using the below URL.

http://www.senderbase.org/

Thanks!

Libin Varghese

View solution in original post

The URL chickenkiller.com has a poor web reputation so would be caught by URL filtering.

The ESA blocks email connection based on the sender IP reputation and not the domain reputation, so you would see IP connections being caught by the HAT Blacklist if it has a poor email reputation.

For example IP for MX record of chickenkiller.com (50.23.197.92) has a neutral email reputation and is not listed on any global blacklists including senderbase.

- Libin V

View solution in original post

7 Replies 7

Libin Varghese
Cisco Employee
Cisco Employee

Hi Faisal,

The ESA performs DNS lookups for each connecting IP as below.

DNS sender verification verifies the sending IP address by performing a reverse lookup for the domain of that IP address first.


It then compares the IP address in the A record of that domain (Forward Resolve) to the IP that is trying to inject the message again.

In case the two addresses do not match, this will result in the "verified no" message.

You can check the reputation of the sending server using the below URL.

http://www.senderbase.org/

Thanks!

Libin Varghese

Thanks for the quick response.

I am new to IronPort. What does the "verified no" message entail?

Thanks in advance.

Faisal

Log messages of this type indicate the following:

 

  1. The IP address does not reverse resolve to a fully qualified domain name (FQDN).
  2. The hostname found from the Reverse Resolution does not Forward Resolve to the same IP address as is connecting.

 

This condition is often seen for ISPs with poorly maintained DNS records.

 

This condition will typically not cause mail delivery to fail. 

 

Cisco customers can throttle or block messages from domains with DNS issues.

- Libin V


Hi Libin,


Can you take the example of the blacklisted domain "chickenkiller<.>com" to explain further. Would the ESA block messages with the balckisted domain "chickenkiller<.>com."

http://www.senderbase.org/ lists "chickenkiller<.>com' as having poor reputation.


Thank you in advance.

Faisal

The URL chickenkiller.com has a poor web reputation so would be caught by URL filtering.

The ESA blocks email connection based on the sender IP reputation and not the domain reputation, so you would see IP connections being caught by the HAT Blacklist if it has a poor email reputation.

For example IP for MX record of chickenkiller.com (50.23.197.92) has a neutral email reputation and is not listed on any global blacklists including senderbase.

- Libin V

Great!

Thank you Libin for explaining how ESA handles email messages containing the blacklisted domain.

Kind Regards,

Faisal M

Glad to help.

- Libin V