cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1186
Views
0
Helpful
2
Replies

MX Record Got Blacklisted

fatalXerror
Level 5
Level 5

Hi Guys,

Good Day!

Do you encounter in ESA that the ESA considered a MX record as BLACKLISTED but when searching over the net like mxtoolbox that MX record is whitelisted?

In result that e-mail got dropped due to its reputation.

Thanks.

2 Replies 2

Libin Varghese
Cisco Employee
Cisco Employee

Hi,

The Email Security Appliance determines the sender reputation based on senderbase scoring.

Please check the current reputation of the sender IP using www.senderbase.org.

The Cisco SenderBase Reputation Service, using global data from the SenderBase Affiliate network, assigns a SenderBase Reputation Score to email senders based on complaint rates, message volume statistics, and data from public blacklists and open proxy lists.

You can also review the mail_logs for the IP of the sender or rejected connections in message tracking to determine what the exact score was at the time.

Regards
Libin Varghese

exMSW4319
Level 3
Level 3

No, we don't.

An MX record says where a mail should be sent to, and like most DNSBLs Senderbase checks the IP that a mail has come from. It works purely by IP address, and no amount of messing about with host names and rDNS will make any difference though some admins may spot and react to regular patterns in sender host name selection with a filter or rule.

Although the sending server's IP address and the sender domain's MX resolution may be the same and in a simple set-up often are, they don't have to be. Check any of the major players and you'll see that they have dedicated inbound and outbound machines.

An IP address that's shared has no accountability unless all of the traffic that exits through it is properly policed by one authority. In all of the cases I've investigated where Senderbase gave the "wrong" verdict, that was the explanation. Frequently, the IP won't be causing you a problem so you can take a calculated risk to exempt it in your ESA HAT. There's other postings on this forum that explain how to do that, and this does not turn off the other measures your ESA takes to defend you. Even if you do this, it's worth pointing out to the sender that most other Cisco customers will still be rejecting them until the reputation is fixed. 

I'm not aware of any DNSBL-checking site that includes Senderbase other than senderbase.org itself, which is a useful resource to bookmark in any case. There are a few other lists in the same position; I currently have Mailshell and Sophos IP Threat bookmarked.