Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5080
Views
0
Helpful
7
Replies

How does CISCO IronPort email security handle Blacklisted domains - ex: chickenkiller.com

Go to solution
faisal.mohammed-ext
Level 1
Level 1

‎02-24-2017 07:30 AM

In the following DNS request traffic flow, instead of blocking the DNS request for a known Blacklisted domain (chickenKiller.com), can you explain why IronPort passed the DNS request to the Internal DNS server?

Source: IronPort Internet Interface, Destination: Internal-DNS.<snip>.COM
Source: Internal-DNS.<snip>.COM, Destination: 50.23.197.95:53 (ns1.afraid.org)
Source: Internal-DNS.<snip>.COM, Destination: 192.55.83.30:53 (m.gtld-servers.net)

Thank you in advance

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎02-24-2017 07:47 AM

Hi Faisal,

The ESA performs DNS lookups for each connecting IP as below.

DNS sender verification verifies the sending IP address by performing a reverse lookup for the domain of that IP address first.


It then compares the IP address in the A record of that domain (Forward Resolve) to the IP that is trying to inject the message again.

In case the two addresses do not match, this will result in the "verified no" message.

You can check the reputation of the sending server using the below URL.

http://www.senderbase.org/

Thanks!

Libin Varghese

View solution in original post

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to faisal.mohammed-ext

‎02-24-2017 09:50 AM

The URL chickenkiller.com has a poor web reputation so would be caught by URL filtering.

The ESA blocks email connection based on the sender IP reputation and not the domain reputation, so you would see IP connections being caught by the HAT Blacklist if it has a poor email reputation.

For example IP for MX record of chickenkiller.com (50.23.197.92) has a neutral email reputation and is not listed on any global blacklists including senderbase.

- Libin V

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎02-24-2017 07:47 AM

Hi Faisal,

The ESA performs DNS lookups for each connecting IP as below.

DNS sender verification verifies the sending IP address by performing a reverse lookup for the domain of that IP address first.


It then compares the IP address in the A record of that domain (Forward Resolve) to the IP that is trying to inject the message again.

In case the two addresses do not match, this will result in the "verified no" message.

You can check the reputation of the sending server using the below URL.

http://www.senderbase.org/

Thanks!

Libin Varghese

0 Helpful

Go to solution
faisal.mohammed-ext
Level 1
Level 1
In response to Libin Varghese

‎02-24-2017 08:12 AM

Thanks for the quick response.

I am new to IronPort. What does the "verified no" message entail?

Thanks in advance.

Faisal

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to faisal.mohammed-ext

‎02-24-2017 08:21 AM

Log messages of this type indicate the following:

 

  1. The IP address does not reverse resolve to a fully qualified domain name (FQDN).
  2. The hostname found from the Reverse Resolution does not Forward Resolve to the same IP address as is connecting.

 

This condition is often seen for ISPs with poorly maintained DNS records.

 

This condition will typically not cause mail delivery to fail. 

 

Cisco customers can throttle or block messages from domains with DNS issues.

- Libin V

0 Helpful

Go to solution
faisal.mohammed-ext
Level 1
Level 1
In response to Libin Varghese

‎02-24-2017 08:46 AM


Hi Libin,


Can you take the example of the blacklisted domain "chickenkiller<.>com" to explain further. Would the ESA block messages with the balckisted domain "chickenkiller<.>com."

http://www.senderbase.org/ lists "chickenkiller<.>com' as having poor reputation.


Thank you in advance.

Faisal

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to faisal.mohammed-ext

‎02-24-2017 09:50 AM

The URL chickenkiller.com has a poor web reputation so would be caught by URL filtering.

The ESA blocks email connection based on the sender IP reputation and not the domain reputation, so you would see IP connections being caught by the HAT Blacklist if it has a poor email reputation.

For example IP for MX record of chickenkiller.com (50.23.197.92) has a neutral email reputation and is not listed on any global blacklists including senderbase.

- Libin V

0 Helpful

Go to solution
faisal.mohammed-ext
Level 1
Level 1
In response to Libin Varghese

‎02-24-2017 10:20 AM

Great!

Thank you Libin for explaining how ESA handles email messages containing the blacklisted domain.

Kind Regards,

Faisal M

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to faisal.mohammed-ext

‎02-25-2017 02:01 AM

Glad to help.

- Libin V

0 Helpful
Customers Also Viewed These Support Documents