ironport still blocking due to poor reputation...but for how lon

shellcod3R · ‎09-28-2012

Hi everyone,

Ten days ago hacker compromised user's account on one of our academic linux systems and managed to send high volume of spam messages.

Result in a couple of hours: our mail server's IP got blacklisted and we got burned. ;(

Seven days later our IP address is no more blacklisted, according to ie. http://multirbl.valli.org/dnsbl-lookup/ and couple of others DNSBL listings (Spamcop, Sorbs, Spamhaus, Abuseat.org etc.) Great, we are again able to send email using our mail server's IP.

However, we are STILL NOT able to send email to other parties which use Cisco Ironport email technology, being still blocked in the very beginning of SMTP conversation namely EHLO SMTP client command ..... :

$telnet host.example.com 25

Trying host.example.com...

Connected to host.example.com.

Escape character is '^]'.

554-ironport.example.com

554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.

Connection closed by foreign host.

I understand it's due to a poor reputation we "won" ourselves which can bee seen at Cisco IronPort SenderBase Security Network; http://www.senderbase.org/

Finally, my question:

How much longer should we wait until our reputation gets better? How can we resolve our issues with ironport email security?

Should we just "move" our SMTP server to another IP address (and make accordingly new rDNS entry) and forget the whole thing ever happened?

I suppose nothing of this would had happened if we have had ironport email security in the first place.

Any feedback really appreciated.

Thanks.

Kind regards,

Krunoslav.

Andreas Mueller · ‎10-02-2012

Hi Krunoslav,

sorry that one of the accounts got compromised and spoiled your mail reputation. Recovery always depends on the traffic during and after the accident, so I cannot give an estimate here, 10 days however sounds quiet long, assuming your outgoing traffic is 100% clear of spam. One thing I'd suggest is to check other IPs from your network range for potential spam sources, as one "bad IP" can affect a subnet range as well. Just a thought. Also, you might contact one of the hosts still denying your messages and ask them how restrictive their Senderbase settings are. You might not be blocked by all Email Security Appliances any longer, only by these that have quiet high thresholds on Senderbase scores.

Hope that helps,

Andreas

shellcod3R · ‎10-03-2012

Hi Andreas,

Thank you for your kind reply.

Botom line: Two days after my post, senderbase cleared us out and everything is again OK. We are again in "good reputation". All ironport appliances which got us blocked in the first place probably got updated (I presume) and all queued emails went out almost in a "burst mode".

I would say it was a very sudden change apparently in ironport appliances due to a change in reputation.

I checked my SMTP logs and concluded that it took us exactly 7 days without being listed on any of blacklists senderbase uses to finally be cleared from it. I'd say one need 7 "incident-free" days for your reputation to get better.

That's my final conclusion after some deep drilling in my system logs.

btw, no other IP address in our /24 RIPE allocated IP address range was mentioned in senderbase.

I did contact one network admin about aforementioned senderbase settings in his ironport but I got very descriptive answer - "....default settings...." ... so I suppose it's up to me to figure out what these "default senderbase settings" are.... anyway , I don't have access to such cisco tehnical documentation so it was a clear shot in the dark....

Kind regards.

Krunoslav

ironport still blocking due to poor reputation...but for how long ?!