Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
2
Replies

poor reputation MTA no individual response on ticket

troester
Level 1
Level 1

‎05-14-2022 09:06 AM

Hi there,

our mailserver is listet with a poor reputation. That's why some clients could not receive eMails from us without whitelisting. For security reasons they don't want to whitelist longer than necessary.

Meanwhile I opened the fifth ticket but the reputation is only set back for a short time and no question from me is answered. I got only automated answers.

By now we listed with an poor reputation, a very high spam level and null eMail volume today and last month. There were never an eMail volume displayed. We send about 400 eMails/day to our clients and public authorities so that might be correct.

Of course we double checked the complete server. We are not an open relay, never send SPAM and no malware. We are not on other blacklists except on UCEPROTECT Level 3 sometimes 2. But you know that's not the fault of our server.

 

I need some information what event caused our poor reputation again and again on talos. Is it possible that a client misconfigured something like that we are blacklisted when we send about 5 mails in a short period?

So I need some more information to resolve the problem. Why / from who (e.g. ip) are we marked to send spam? Or what else cause that?

 

Thanks for assistance.

marcus

 

last processed ticket is #2255373

Labels:
0 Helpful
2 Replies 2

Mathew Huynh
Cisco Employee
Cisco Employee

‎05-16-2022 03:44 PM

Hey Troster,

 

it's quite difficult to put a finger on this but being listed on UCEprotect probably can contribute to it. Talos intelligence also looks into a lot of other items and variable values.

If servers you're connecting to are using Cisco intelligence (IE: Talos) then it's very likely the only means to get email to them is to have them put you on an allow list (which means still subject your emails to scans but accept the initial connection). Whitelisting (the old term) to bypass scanners is likely not ideal for them. Perhaps you can suggest that to get your emails through in the mean time.

 

If your server continues to send legitimate emails, it will improve in score.

If it doesn't improve I highly recommend to look at your server with greater scrutiny to find out why it's continuing to drop.

Are you mass mailing in any way? if so - look into ensuring all your emails are SPF, DKIM and DMARC compliant firstly.

Ensure emails are not going to recipients that do not exist, this type of behaviour is considered directory harvesting which will impact your reputation.

Are you sharing your sending IP with other tenants? they could also be a culprit.

 

There are many items.


I do want to ask - your mail gateway that you're using, is it a Cisco Secure Email gateway?

 

Thank you,

Mathew

0 Helpful

troester
Level 1
Level 1
In response to Mathew Huynh

‎05-17-2022 03:26 AM

Thanks Mathew for reply.

 

@Mathew Huynh wrote:

it's quite difficult to put a finger on this but being listed on UCEprotect probably can contribute to it. Talos intelligence also looks into a lot of other items and variable values.

I didn't know talos before, so I don't know how it works. But I would wondering if it is just a copy/paste from other blacklists. On OCEprotect our address range is actually listet on level 3 and 2. Of course our server/ip had never been listed on level 1. We are not on that from OCEprotec offered whitelisting.

 

If servers you're connecting to are using Cisco intelligence (IE: Talos) then it's very likely the only means to get email to them is to have them put you on an allow list (which means still subject your emails to scans but accept the initial connection). Whitelisting (the old term) to bypass scanners is likely not ideal for them. Perhaps you can suggest that to get your emails through in the mean time.

One of our client had done this and it works. Another can't do that individually and it seems to be "a longer process"...

 

If your server continues to send legitimate emails, it will improve in score.

If it doesn't improve I highly recommend to look at your server with greater scrutiny to find out why it's continuing to drop.

Are you mass mailing in any way? if so - look into ensuring all your emails are SPF, DKIM and DMARC compliant firstly.

Our server is up for more than a year with the same ip. Since then there has never been any impact or spam on/from that server. The problem occurred at the beginning of this month.

So I double checked everything what's going on on that server (in frontend, in logs, processes, on network layer). All fine. The only thing I noticed is the UCEprotect for level 3 and then level 2. But when I read around talos it doesn't seems that this alone should be the reason.

 

I've checked again...

https://dkimvalidator.com

 

SpamAssassin Score: -5.1
Message is NOT marked as spam
Points breakdown: 
-5.0 RCVD_IN_DNSWL_HI       RBL: Sender listed at https://www.dnswl.org/,
                            high trust
                            [**MYIP** listed in list.dnswl.org]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                            author's domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                            valid
-0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
 0.0 TVD_SPACE_RATIO        No description available.

and mxtoolbox.com

DMARC Record Published	DMARC Record found
Status Ok	DMARC Syntax Check	The record is valid
Status Ok	DMARC External Validation	All external domains in your DMARC record are giving permission to send them DMARC reports.
Status Ok	DMARC Multiple Records	Multiple DMARC records corrected to a single record.
Status Ok	DMARC Policy Not Enabled	DMARC Quarantine/Reject policy enabled

 

Ensure emails are not going to recipients that do not exist, this type of behaviour is considered directory harvesting which will impact your reputation.

Of course. But sometimes public authorities get a new structure and so new email addresses. But it is not more than individuals would send emails. We don't want to spam them, we write individual eMails (auto generated) to them.

 

Are you sharing your sending IP with other tenants? they could also be a culprit.

no, it's an individual ip on a v-server.

 

There are many items.

yes, so I need to understand why talos rates us such bad. The main problem is that we are completely rejected. We are not on other lists - except UCEprotect 2,3 (so that's not the fault from ur ip). 

 

In the logs I've seen:

status=deferred (host mx2.***.de[***] refused to talk to me: 421 #4.4.5 Too many connections from your host.)

This is from on of our clients so we send continues mails to them. I was wondering because it was after sending only 3 or 4 mails in short time They are using a cisco system, so I don't know whether the low limit setting will put (or could) us on talos blacklist?

 


I do want to ask - your mail gateway that you're using, is it a Cisco Secure Email gateway?

no.

My last ticket in that case here on talos from 2022-05-14 hasn't been dealt with.

Could you find my ticket/ip and have a look why we are rated with an critical spam level and poor reputation?

 

Thanks, marcus

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents