• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3739
  • Last Modified:

Why is my E-Mail reputation Poor on Senderbase?

At the end of march we were under a rNDR attack and got blacklisted and a poor score on senderbase. That problem has been taken care of. Then last Wed. 4-8-09 we were blacklisted and poor on SB when a workstation was infected with a SPAM bot. That problem was resolved the same day. We were cleared on SB by Sat. or Sun. Now we are back to poor at SB but no blacklists. We have also blocked all outgoing port 25 traffic except for exchange. I have netflow analyzer monitoring traffic and don't see any suspicious 25 traffic. We did find a user sending "adult" photos and videos to friends using an outside Cbeyond (they use ironport) server on port 587. Cloud that be it? I get no response from senderbase. But they show we are still sending SPAM. Please advise. IP of server 67.64.176.41
0
jdcreece
Asked:
jdcreece
  • 10
  • 5
  • 3
  • +2
1 Solution
 
dud386Commented:
Make sure you're delisted on all sites, it still says your listed here: 67.64.176.41

0
 
dud386Commented:
oops pasted the wrong thing :-) check here: http://www.uceprotect.net/en/rblcheck.php
0
 
jdcreeceAuthor Commented:
Thanks for the info. I guess we just have to wait until tomorrow. What about sending on 587? Does Iron Port watch that too and "score" the content?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
dud386Commented:
Not sure on port 587, I checked through the site and couldn't find anything on rules.
0
 
MesthaCommented:
They are looking at your traffic, not the port that you are using. 587 is the TLS port, and you have to be sending to a site that can support that. Normally that is a private arrangement between two sites, as 587 is not usually used.

Simon.
0
 
jdcreeceAuthor Commented:
What do you suggest then? We have anywhere from 40-65 users (depending on remote users) that send about 75% of their mail to companies that use IronPort. We've had this server since the middle of 07 with no problems (like this) until recently.
0
 
jdcreeceAuthor Commented:
I just got off of the phone with Iron Port an they said that it could take up to 30 days to get back to neutral. Have y'all ever experienced anything like this?
0
 
jdcreeceAuthor Commented:
What about a temp SMTP relay? Would that cause our e-mail to look more suspicious?
0
 
MesthaCommented:
If you are having email delivery problems then route your email out through your ISPs SMTP Server using Connector.

Simon.
0
 
jdcreeceAuthor Commented:
I followed the instructions for setting up the connector on Sembee's web site (wink) and they were pretty straightforward, but I think I've missed something. They use att.net which requires outbound 465 SSL. I tried creating another SMTP virtual server to use port 465 and then use that as the local bridgehead in the connector but I keep getting this in the que: Unable to deliver the message because the destination address was misconfigured as a mail loop.
0
 
jdcreeceAuthor Commented:
This is a single frontend/backend Exchange 2003 box.
0
 
MesthaCommented:
Make sure that you haven't set a smart host on the SMTP virtual server. You may have to switch them round, so the Default SMTP VS is on 465 and the second one is on the port 25. If you set the IP addresses correctly it shouldn't cause a problem with incoming email. The smart host needs to be AT&Ts SMTP server that they tell people to use for OUTBOUND email.

Simon.
0
 
jdcreeceAuthor Commented:
Thanks, I will test this out over the weekend. I finally got a responce from SenderBase:

Thank you for contacting Senderbase with your request. I see two reasons for the poor reputation of your IP.

First, there were spam complaints against emails sent from your IP around April 8th and 9th. You are obviously aware of this and have already fixed this issue (as you mention in your email). Once you have resolved this issue, the reputation of your IP should begin to improve automatically. The speed of recovery of an IP's reputation depends on many factors including the time passed since the last  spam report and the email volume originating from your IP.  

Second, in addition to the above spam reports, we also use a variety of techniques and heuristic rules to determine what IP addresses are behaving highly suspiciously and are likely to have been compromised into sending spam or viruses. Your mail server is demonstrating suspicious behavior and we suggest that you investigate/fix the
following:

* the rDNS point to a fully qualified domain name (FQDN)
* the rDNS point to a domain which matches the HELO FQDN
* the rDNS point to a domain which matches the sender domain or a domain which matches the parent domain

Once this change is made, the reputtion of your IP should automatically improve.


I have checked all of these settings and all seems well. As far as SenderBase/IronPort/Cisco is concerned I just have to wait? I did have a pfsense box running with Spamd Greylist/tarpit that would respond VERY SLOWLY to new IPs until after a certain amount of time passed then the IP would be allowed to the real MTA. Do you thik this would have affected the part about rDNS and the Helo FQDN?
0
 
MesthaCommented:
As long as it responds, the speed of the response shouldn't matter - as long as it is not so slow that a remote server would time out.

Simon.
0
 
jdcreeceAuthor Commented:
I can't get it to work att requires SSL on SMTP. How do I do that?
0
 
MesthaCommented:
You will need to create a second SMTP virtual server that works on that port. Then on the SMTP connector choose the option to use TLS.

Simon.
0
 
jdcreeceAuthor Commented:
A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients.  Contact your administrator. #5.3.5>
0
 
jdcreeceAuthor Commented:
i have the default smtp set as it normally is. The ATT smtp is set the same as the default except for the outgoing port (465). There is no default connector. The ATT connector is set to use smtp.att.yahoo.com and the bridgehead is the ATT smtp vs.On advanced under outbound I have the user and pass and TLS set.
0
 
wbblytheCommented:
Senderbase.org is as irresponsible as the spammers they portend to suppress. Cisco is not a viable email security solution as long as they depend on this unsupported website. As much as Cisco charges for thier products, one would think they would use a more reliable database, even if they had to pay for it.
0
 
tplaya07Commented:
I don't use the word often unless I really mean it...but I absolutely HATE senderbase. So many people place there trust in this 2-bit operation with almost NO customer service or support at all. We had an incident about a year ago where we were infected with the Storm worm. I remedied the problem on our network, got everything clear (delisted) with all the DNSBL's, but it took Senderbase over a week and a half to reset our score to nuetral. I even sent them numerous screenshot showing the detection and quaratine of the virus, charts/stats from the email server showing the normal traffic, etc, etc. Still, for a week and a half we were cut off from email communication from many of our affiliates including state and federal organizations from which we receive funding. We are a non-profit who works with Medicare, DOEA, FEMA, USDA, and many more to serve over 50,000 residents in our community. Sendebase was able to bring all that to a grinding halt with a single word (poor). To clarify though, I would NOT have as much of a problem with them if they would update within a REASONABLE time period (most within 24 hours) like all the other DNSBL sites... but 1.5 weeks AFTER we are clear from all the other DNSBL's is TOTALLY unacceptable. I have no idea how this company has not had multiple class action lawsuits against them for disrupting business communication.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 10
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now