Solved: IP blocked due to MTA's poor reputation

eurekaexim · ‎04-25-2013

Sir,

My clients are unable to send mail as their mails are getting bounced with below error.

I have hosted my clients at :

			208.77.145.237
			208.77.222.188

I have checked, there is no spamming done from any system. You are requested to kindly change the reputation so that mail delivery should start.

Error bounced message :

-----Original Message-----
From: Mail Delivery System [mailto:Mailer-Daemon@atlas.dns22.com]
Sent: 25 April 2013 23:23
To: manhar@logisticlinkage.com
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

Susanne.Sehling@itg.de
    SMTP error from remote mail server after initial connection:
    host gatekeeper.spacenet.de [195.30.98.18]: 554-gatekeeper1.space.net
    554 Your access to this mail system has been rejected due to the sending
MTA's poor reputation. If you believe that this failure is in error, please
contact the intended recipient via alternate means.

------ This is a copy of the message, including all the headers. ------

Return-path: <manhar@logisticlinkage.com>
Received: from [115.242.111.245] (port=49491 helo=manharPC)
        by atlas.dns22.com with esmtpa (Exim 4.80)
        (envelope-from <manhar@logisticlinkage.com>)
        id 1UVQLG-0001JO-6N
        for Susanne.Sehling@itg.de; Thu, 25 Apr 2013 13:52:28 -0400
From: "Manhar" <manhar@logisticlinkage.com>
To: <Susanne.Sehling@itg.de>
References:
In-Reply-To:
Subject: Your order 4500807977
Date: Thu, 25 Apr 2013 23:22:18 +0530
Message-ID: <002d01ce41dd$a4564c60$ed02e520$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_002E_01CE420B.BE0E8860"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac5BgB95GTsTKcHBRH6KI1NTiMrKFgAB+pgAAAYZE4AACcGsoAAFih3Q
Content-Language: en-in

This is a multipart message in MIME format.

regards

Rajinder Singh

Ken Stieers · ‎11-07-2014

I posted a question about this very issue a few weeks ago, to get a feel for what others are doing, but no-one responded...

There are lots of legitimate domains, that aren't sending spam that don't know that they should set up reverse dns, or don't know how to do it properly.

In the end put reverse dns lookup failures/non-exist/non-match in my SUSPECT sender group... we're still getting some spear-phishing spam because of this, but sending notes to other companies saying "hey, set up reverse DNS" was getting to be onerous...

View solution in original post

Stephan Bayer · ‎04-30-2013

Hello Rajinder,

The IP address in the mail:from of your message example shows a poor reputation in Senderbase:

http://www.senderbase.org/senderbase_queries/detailip?search_string=115.242.111.245

If you follow the link it shows many systems on that network with a poor reputation, so they may be spamming.

SBRS is an automated reputation system over which we have very little influence.

On the Cisco ESA, if you want to continue to receive messages from these IPs despite their poor reputation, please check out

Article #1797: Bypass SBRS for specific hosts however still scan for SPAM Link: http://tools.cisco.com/squish/51DCC

Regards,

Stephan

bvj197222 · ‎11-07-2014

I have the same problem, and we're rejecting email that's from legit senders. This is the NDR;

SMTP error from remote mail server after initial connection:
    host mail1.dsb.no [91.229.21.116]: 554-mail1.dsb.no
    554 Your access to this mail system has been rejected due to the sending MTA's
poor reputation. If you believe that this failure is in error, please contact
the intended recipient via alternate means.

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 1113933 characters long; only the first
------ 106496 or so are included here.

Return-path: <post@energyfitness.no>
Received: from [193.69.205.130] (helo=[192.168.20.19])
        by mailstore01.fastname.no with esmtpa (Exim 4.76)
        (envelope-from <post@energyfitness.no>)
        id 1Xmi5R-0004xF-90
        for bvj@dsb.no; Fri, 07 Nov 2014 12:52:17 +0100
To: "=?utf-8?B?YnZqQGRzYi5ubw==?=" <xxx@dsb.no>

I checked out mailstore01.fastname.no in Senderbase and it fails on the reverse MX-lookup for ip 85.19.150.221. However, we have big problems now With mail being rejected and I need to know why?? The email reputation of the IP is good, why is it being rejected? Cause the reverse MX-lookup fail? If so, I need to switch that off. How do I do it? It's defined in the HAT? In the mail policy "accepted" I have switched off "Envelope Sender DNS Verification". It's turned on for the mail flow policy "Throttled" and "Blocked". Can anyone please assist me? We had this problems for a few days and it's turning into a big problem. I can not make exceptions for single domains cause it's many legit emails being rejected.

bvj197222 · ‎11-07-2014

I did some testing. For sender Group "BLACKLIST" I removed "Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A)". Now the email goes thru. I have only enabled "Connecting host PTR record does not exist in DNS". For the Connected mail flow policy, "BLOCKED", I have disabled "Envelope Sender DNS verification".

It was the reverse lookup that I enabled for the BLACKLIST that caused all email With non-matching reverse DNS to be rejected.

For sender Group "SUSPECTLIST" I have enabled "Connecting host reverse DNS lookup.." and disabled the "Connecting host reverse DNS...".

Any comments?

Ken Stieers · ‎11-07-2014

I posted a question about this very issue a few weeks ago, to get a feel for what others are doing, but no-one responded...

There are lots of legitimate domains, that aren't sending spam that don't know that they should set up reverse dns, or don't know how to do it properly.

In the end put reverse dns lookup failures/non-exist/non-match in my SUSPECT sender group... we're still getting some spear-phishing spam because of this, but sending notes to other companies saying "hey, set up reverse DNS" was getting to be onerous...

rajett · ‎11-13-2014

The best thing to do is to put those failures under SUSPECT so they are throttled instead of blocked.

For poor reputation issues:

If you are a Cisco Email Security Customer and you have a poor email sending reputation issue yourself, please open a TAC case. They can help you identify the reason for the poor reputation. They won't tell you all the answers but will be able to say things such as "this system at a.b.c.d IP is sending spam." What they won't tell you is what email address the spam was received at since it may be a spamtrap address that we don't want bulk mailing folks to know about. :)

If you aren't a Cisco Email Security customer and you have a poor email sending reputation yourself, please open a case at http://www.senderbase.org/support and the team will help you with the same type of information.

If you know what the problem is and you fix it yourself then simply wait. The SenderBase system is designed to self adjust and when the problems are resolved the sending score issues will automatically improve over time. It can happen in as little as hours or maybe a couple of days depending on mail volumes.

For blocking spam, there is a new whitepaper for tuning the ESA out on Cisco.com

http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-732910.html

Thanks,

Raymond

Ken Stieers · ‎11-13-2014

Raymond,

Can you check the security on that whitepaper? I'm getting "Forbidden File or Application"

Ken

rajett · ‎11-13-2014

Try logging into Cisco.com with your ID/PW then open the link.

bvj197222 · ‎11-10-2014

We intended to Block all e-mail from senders With incorrect MX-record. However, like u said, there's too many who haven't set up their mailgateway correctly, especially those smtp-services that send email on behalf of several domains. Hence, I had to move the "Connecting host reverse DNS.." to the SUSPECTLIST, instead of on the BLACKLIST as intended as we where blocking too much legit email. The result is that some spam that the "the reverse MX-lookup"-feature would have stopped if enabled for the BLACKLIST will pass through.

Some kw-base articles recommend to not Block solely based on the reverse mx-lookup. Would be Nice if Cisco had a best practise-doc for tuning the filters. It's not enough to refer to some kw-base articles, they should make a proper document.

RonaldvanGinkel · ‎11-10-2014

Same error: 'Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means'

But we have correct reverse DNS lookup (80.81.110.27 <-> t-innova.com):

Results

80.81.110.27 resolves to
"t-innova.com"

Top Level Domain: "t-innova.com"

Country IP Address: SPAIN

But at www.senderbase.org, I see:

Fwd/Rev DNS Match No

What more can I do ???

Thank you in advance.

Stephan Bayer · ‎05-06-2013

Hello Rajinder,

Please check if any of the responses worked for you and kindly mark this thread as answered if so.

Thank you.

Stephan

yinBooranathawornsom6358 · ‎10-03-2018

Please help me.

IP 203.151.45.45 blocked due to MTA's poor reputation

Please unblock IP 203.151.45.45.

Thank you.

Doug Maxfield · ‎10-04-2018

You should be able to go to https://talosintelligence.com/ and request that the IP address be "unblocked". I would recommend starting a new thread as the thread your using is over 5 years old.

yinBooranathawornsom6358 · ‎10-04-2018

What link or menu for unblock ? I can not find it.

Thank you very much.

Ken Stieers · ‎10-04-2018

Reputation at the top, then "Reputation support"

File a ticket...