Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
223
Views
0
Helpful
1
Replies

Spam Level Critical on IP

rdansereau
Level 1
Level 1

‎07-24-2024 01:31 PM

Hello,

The IP address that my client is using to send has been listed as "Spam Level - Critical"

I made a ticket to ask for the reputation to be adjusted, but was denied with them saying the following:

"RESOLVED_CLOSED : UNCHANGED - Our worldwide sensor network indicates that spam originated from the submitted IP. We suggest checking these possibilities to help isolate the root cause of the spam originating from your IP, including, but not limited to: - A server, user computer, router or switch on the IPs network may be compromised by a trojan spam virus; - There may be an open port 25 through which a spammer may be gaining access and sending out spam; - A user may be sending spam through the IP. - Compromised hosting or mail accounts, which are then used to authenticate and send through other ports. In general, once all issues have been addressed (fixed), reputation recovery will be automatic and can take anywhere from a few hours to just over one week to improve. Regards, Reputation Support"

 

There is no reason to believe a bad actor sending out spam through the IP. This IP is used to send internal messaging only and no internal reports of spam have been made. Is it possible to get more context on what is considered "spam"? There was a large volume spike two days ago from the IP - could this be considered spam sending or would that be evaluated in email volume? As these are internal messages, they are sent in batches as necessary but could be throttled. Would spam relate to something moreso within the content of the message that could be getting flagged?

Looking for any assistance in a deeper explanation of what is meant by spam

Labels:
0 Helpful
1 Reply 1

ccieexpert
Spotlight
Spotlight

‎07-26-2024 09:22 PM

hello

your statement is a bit contradicting.. you are saying they are internal emails, but the IP is public. which means that the mail server is also sending to the internet using the public ip to get blacklisted.

I would make sure that on your firewall, only the authorized mail server is able to send email to the internet. it is possible that a compromised machine is directly sending email to the internet and if everyone (including mail server) is nated to the same ip ...please block port 25 from everyone inside (except mail server) to the internet.

Check your ip and see if you are blacklisted by multiple sources. if yes, then more than likely there was some sort of spam/activity.

See here the reasons for blacklisting and try to take preventive measure.

you can change the mail server to use another public ip as workaround.

https://mxtoolbox.com/blacklists.aspx

https://www.warmupinbox.com/post/email-blacklist-removal#:~:text=A%20blacklist%20acts%20as%20a,landing%20you%20on%20a%20blacklist.

**Please rate as helpful if this was useful**

0 Helpful
Customers Also Viewed These Support Documents