|Email Plug-in (Reporting):||1.1.0-114|
|Email Plug-in (Encryption):||1.2.1-118|
Hi Anil Bhardwaj,
I would request you to firstly check for the IP address "126.96.36.199" or "tohmatsu.co.jp" by searching the same under Mail Policies-->HAT Overview-->Finder Senders--> Find Senders that Contain this Text:
If you are not able to find the same under any sendergroup then check in message tracking for the SBRS score for the emails passing through ESA and being blocked through ESA. Both values might be different falling under different sender groups which might be the cause of one passing and another email being blocked.
SBRS score for an email (domain) is a variable value which keeps on changing the depending on various factors categorized by the TALOS on the behaviour and practises followed by particular domain.
I hope this might give you some leads to your investigation.
I searched the IP address under the HAT overview - Find senders but I did not get any single entry under any sender group.
However I can see the sender address SBRS rating is 2.5.
Is it the reason for rejection?
Low SBRS email should move to quarantine not rejects.
Please correct me if I am wrong.
For the action on the SBRS score, it depends on the which Sendergroup the value falls under and which mail flow policy is attached to that Sendergroup.
For few Sendergroup you must be able to see a range of SBRS value configured example for blacklist it might be -10 to -3 and if for any email, it falls under the same category it will be actioned upon by BLOCKED mail flow policy (connection behaviour for which is set to Reject and not quarantine).
The details of the same can be seen in the message tracking information as well.
If you share complete mail logs or message tracking for the email which is blocked then I might be able to assist you with reason for email getting blocked.
In addition to the above, you must be able to see the source sending IP address in the message tracking. You can check on the reputation of the sender IP address.
The TALOS portal is the one where you will find all the required information on IP reputation, URL reputation, new threats detected by Cisco, etc:
You can input the IP address on that portal and it will return the Email Reputation, albeit not in a numeric value.
I have attached the Message trace logs and including the Reject messages too. Since 20th, there is no new email to us from the sender.
I hope added information will help us to get more depth details.
I could see that the given IP address (188.8.131.52) is having a poor reputation in the TALOS. Please refer the below link for the same and also see the attached screenshot. Hence, it was rejected by the HAT.
I hope that makes it clear for the reason for rejection by HAT.
Thank you so much for your help.
Last one thing, Under Blacklist I can see some company names. Is it mean that this IP has been placed in blacklist by them.
Thanks you so much Pratham for your help.
This is my first time on ESA support community page and it really does work.
Regarding Company names where this IP is showing blacklist , can we ask them to remove the IP from blacklist to improve the reputation form poor to good or neutral.