Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2247
Views
5
Helpful
3
Replies

Connection to Earthlink mail servers blocked by Snort

Stephen Carville
Level 1
Level 1

‎12-20-2019 09:16 AM - edited ‎12-20-2019 09:19 AM

I received a complaint from a user who cannot send from his corporate email account to his Earthlink mail account. After tracing all the steps where a connection could be blocked, I isolated it to the firepower. Apparently Snort believes the server as a bad reputation.

I checked a few IPs on Talos and they are (or were) definitely blacklisted. EG:

https://talosintelligence.com/reputation_center/lookup?search=207.69.189.229

Interestingly enough, if I check by the corresponding machine name, it comes back as trusted.

https://talosintelligence.com/reputation_center/lookup?search=mx6.earthlink.net

This is a new one on me. Is this a Cisco or Earthlink problem and is there a way to whitelist just the relevant MX IPs?

Sample Trace

-- packet-tracer input DMZ-INT tcp 198.204.112.74 54321 207.69.189.229 25)

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 198.204.115.1 using egress ifc OUTSIDE-INT

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc DMZ-INT object-group mta-dmz any4 eq smtp rule-id 268435642
access-list CSM_FW_ACL_ remark rule-id 268435642: ACCESS POLICY: RR-CO-AC - Default
access-list CSM_FW_ACL_ remark rule-id 268435642: L7 RULE: acl_dmz1#64
object-group network mta-dmz
description: MTAs in the DMZ
network-object 198.204.112.74 255.255.255.255
network-object 172.21.6.10 255.255.255.255
network-object 198.204.112.91 255.255.255.255
network-object 172.21.6.72 255.255.255.255
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-198.204.112.0
nat (DMZ-INT,OUTSIDE-INT) static obj-198.204.112.0
Additional Information:
Static translate 198.204.112.74/54321 to 198.204.112.74/54321

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 619176969, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 580167530
Session: new snort session
Reputation: packet blacklisted, drop
Snort: processed decoder alerts or actions queue, drop
Snort detect_sdrop: gid 136, sid 1, drop
Snort id 5, NAP id 2, IPS id 0, Verdict BLACKLIST, Blocked by SI/Reputation
Snort Verdict: (black-list) black list this flow

Result:
input-interface: DMZ-INT
input-status: up
input-line-status: up
output-interface: OUTSIDE-INT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (reputation) Blocked or blacklisted by the reputation preprocessor

1 person had this problem
Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎12-24-2019 12:01 PM

There a few things to mention here:

  • You can always submit a dispute directly from the TALOS page
  • I checked that IP in both Umbrella Investigate and VirtusTotal and both are reporting several malware samples associated with it:
  • This particular IP appears to be assigned to Roswell High School. Thus, the issue is not with the Service Provider but the actual consumer of the IP. 

I hope this helps!

Thank you for rating helpful posts!

 

Stephen Carville
Level 1
Level 1
In response to nspasov

‎12-26-2019 02:09 PM

I checked Umbrella and it verified the MX IPs have been associated with malware recently so it looks like the blacklisting was justified. However, it seems to be lifted -- at least for the time being -- so the user can send emails normally.

The bit about Roswell High School is a little weird. I wonder if it is just a joke.

Anyway, thanks for the help.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Stephen Carville

‎12-26-2019 08:34 PM

I was simply relying on the info from ARIN which shows Roswell High School as the owner of the IP with registration dating back to 1999. I suppose the info could be wrong but I have no better methods/tools that are free to check this :)

https://rdap.arin.net/registry/ip/207.69.189.224

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card