cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2026
Views
5
Helpful
3
Replies

Connection to Earthlink mail servers blocked by Snort

I received a complaint from a user who cannot send from his corporate email account to his Earthlink mail account. After tracing all the steps where a connection could be blocked, I isolated it to the firepower. Apparently Snort believes the server as a bad reputation.

I checked a few IPs on Talos and they are (or were) definitely blacklisted. EG:

https://talosintelligence.com/reputation_center/lookup?search=207.69.189.229

Interestingly enough, if I check by the corresponding machine name, it comes back as trusted.

https://talosintelligence.com/reputation_center/lookup?search=mx6.earthlink.net

This is a new one on me. Is this a Cisco or Earthlink problem and is there a way to whitelist just the relevant MX IPs?

Sample Trace

-- packet-tracer input DMZ-INT tcp 198.204.112.74 54321 207.69.189.229 25)

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 198.204.115.1 using egress ifc OUTSIDE-INT

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc DMZ-INT object-group mta-dmz any4 eq smtp rule-id 268435642
access-list CSM_FW_ACL_ remark rule-id 268435642: ACCESS POLICY: RR-CO-AC - Default
access-list CSM_FW_ACL_ remark rule-id 268435642: L7 RULE: acl_dmz1#64
object-group network mta-dmz
description: MTAs in the DMZ
network-object 198.204.112.74 255.255.255.255
network-object 172.21.6.10 255.255.255.255
network-object 198.204.112.91 255.255.255.255
network-object 172.21.6.72 255.255.255.255
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-198.204.112.0
nat (DMZ-INT,OUTSIDE-INT) static obj-198.204.112.0
Additional Information:
Static translate 198.204.112.74/54321 to 198.204.112.74/54321

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 619176969, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 580167530
Session: new snort session
Reputation: packet blacklisted, drop
Snort: processed decoder alerts or actions queue, drop
Snort detect_sdrop: gid 136, sid 1, drop
Snort id 5, NAP id 2, IPS id 0, Verdict BLACKLIST, Blocked by SI/Reputation
Snort Verdict: (black-list) black list this flow

Result:
input-interface: DMZ-INT
input-status: up
input-line-status: up
output-interface: OUTSIDE-INT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (reputation) Blocked or blacklisted by the reputation preprocessor

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

There a few things to mention here:

  • You can always submit a dispute directly from the TALOS page
  • I checked that IP in both Umbrella Investigate and VirtusTotal and both are reporting several malware samples associated with it:
  • This particular IP appears to be assigned to Roswell High School. Thus, the issue is not with the Service Provider but the actual consumer of the IP. 

I hope this helps!

Thank you for rating helpful posts!

 

I checked Umbrella and it verified the MX IPs have been associated with malware recently so it looks like the blacklisting was justified. However, it seems to be lifted -- at least for the time being -- so the user can send emails normally.

The bit about Roswell High School is a little weird. I wonder if it is just a joke.

Anyway, thanks for the help.

I was simply relying on the info from ARIN which shows Roswell High School as the owner of the IP with registration dating back to 1999. I suppose the info could be wrong but I have no better methods/tools that are free to check this :)

https://rdap.arin.net/registry/ip/207.69.189.224

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: