Solved: How does CISCO IronPort email security handle Blacklisted domains - ex: chickenkiller.com

faisal.mohammed-ext · ‎02-24-2017

In the following DNS request traffic flow, instead of blocking the DNS request for a known Blacklisted domain (chickenKiller.com), can you explain why IronPort passed the DNS request to the Internal DNS server?

Source: IronPort Internet Interface, Destination: Internal-DNS.<snip>.COM
Source: Internal-DNS.<snip>.COM, Destination: 50.23.197.95:53 (ns1.afraid.org)
Source: Internal-DNS.<snip>.COM, Destination: 192.55.83.30:53 (m.gtld-servers.net)

Thank you in advance

Libin Varghese · ‎02-24-2017

Hi Faisal,

The ESA performs DNS lookups for each connecting IP as below.

DNS sender verification verifies the sending IP address by performing a reverse lookup for the domain of that IP address first.

It then compares the IP address in the A record of that domain (Forward Resolve) to the IP that is trying to inject the message again.

In case the two addresses do not match, this will result in the "verified no" message.

You can check the reputation of the sending server using the below URL.

http://www.senderbase.org/

Thanks!

Libin Varghese

View solution in original post

Libin Varghese · ‎02-24-2017

The URL chickenkiller.com has a poor web reputation so would be caught by URL filtering.

The ESA blocks email connection based on the sender IP reputation and not the domain reputation, so you would see IP connections being caught by the HAT Blacklist if it has a poor email reputation.

For example IP for MX record of chickenkiller.com (50.23.197.92) has a neutral email reputation and is not listed on any global blacklists including senderbase.

- Libin V

View solution in original post

Libin Varghese · ‎02-24-2017

Hi Faisal,

The ESA performs DNS lookups for each connecting IP as below.

DNS sender verification verifies the sending IP address by performing a reverse lookup for the domain of that IP address first.

It then compares the IP address in the A record of that domain (Forward Resolve) to the IP that is trying to inject the message again.

In case the two addresses do not match, this will result in the "verified no" message.

You can check the reputation of the sending server using the below URL.

http://www.senderbase.org/

Thanks!

Libin Varghese

faisal.mohammed-ext · ‎02-24-2017

Thanks for the quick response.

I am new to IronPort. What does the "verified no" message entail?

Thanks in advance.

Faisal

Libin Varghese · ‎02-24-2017

Log messages of this type indicate the following:

The IP address does not reverse resolve to a fully qualified domain name (FQDN).
The hostname found from the Reverse Resolution does not Forward Resolve to the same IP address as is connecting.

This condition is often seen for ISPs with poorly maintained DNS records.

This condition will typically not cause mail delivery to fail.

Cisco customers can throttle or block messages from domains with DNS issues.

- Libin V

faisal.mohammed-ext · ‎02-24-2017

Hi Libin,

Can you take the example of the blacklisted domain "chickenkiller<.>com" to explain further. Would the ESA block messages with the balckisted domain "chickenkiller<.>com."

http://www.senderbase.org/ lists "chickenkiller<.>com' as having poor reputation.

Thank you in advance.

Faisal

Libin Varghese · ‎02-24-2017

The URL chickenkiller.com has a poor web reputation so would be caught by URL filtering.

The ESA blocks email connection based on the sender IP reputation and not the domain reputation, so you would see IP connections being caught by the HAT Blacklist if it has a poor email reputation.

For example IP for MX record of chickenkiller.com (50.23.197.92) has a neutral email reputation and is not listed on any global blacklists including senderbase.

- Libin V

faisal.mohammed-ext · ‎02-24-2017

Great!

Thank you Libin for explaining how ESA handles email messages containing the blacklisted domain.

Kind Regards,

Faisal M

Libin Varghese · ‎02-25-2017

Glad to help.

- Libin V