Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1451
Views
0
Helpful
3
Replies

IronPort Custom NDR for SBRS Scores

Mike Luebbers
Level 1
Level 1

‎01-20-2016 12:14 PM

We have just had an issue where a customer was trying to send us an email but was getting blocked with a low SBRS score (-1.1). Unfortunately it was going on for a few days and no one was the wiser and this was causing some business impact.  

I would like to know if there is way that the sender (the customer in this case) can be notified with an NDR or some other mechanism when this happens. Is this possible?

Thanks

Labels:
0 Helpful
3 Replies 3

Mathew Huynh
Cisco Employee
Cisco Employee

‎01-20-2016 04:12 PM

Hello Mike,

SBRS -1.1 would generally put it into the 'throttled' matching mail flow where the mail servers connecting will get a 4XX SMTP reply code to delay the mail deliveries but not actually drop it unless it matches the maximum time in queue and gets hard bounced and it should go to the end user after the limits are met.

However if your ESA is blocking it completely with a 554 (usually matches against SBRS BLACKLIST) then an NDR should be generated with information of Senderbase reputation blocking on the NDR.

Regards,

Matthew

0 Helpful

Mike Luebbers
Level 1
Level 1
In response to Mathew Huynh

‎01-21-2016 06:13 AM

Hi Matthew, thanks for the reply. So we just adjusted the SBRS scores within our HAT and that range fell into Blocked (blacklist) mail flow policy. However they didnt get a NDR..  Sounds like they should have?

To temporarily fix the issue we put them on a whitelist. Once this was done we started accepting old mail all at once. so that would indicate that there servers did a retry....   

Thanks again

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Mike Luebbers

‎01-21-2016 02:03 PM

Hey Mike,

Yep they should have gotten the default 554 response for senderbase reputation score rejection.

Then the connection MTA is the server which is responsible to generate the NDR for the original sender.

The NDR if matching blacklist would be:
554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.

(Unless of course you're using TCP refuse on the BLACKLIST sendergroup)

You can check this on GUI > Mail Policies > Mail Flow Policies > Click on "BLOCKED"

For connection behaviour, TCP refuse will send a normal connection refused, so no SMTP code for NDR.

Reject will send the 554 code so it will prompt the connecting mail server to know that it needs to generate an NDR.

Regards,

Matthew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents