Solved

TrustedSource listed IP as high-risk for only one member/site of a 2-node stretched DAG

Posted on 2014-10-26
8
198 Views
Last Modified: 2014-10-29
2 NODE Stretched DAG
Each site obviously has its own HT/CAS
I fail-over to Site B and after about a week or so the External IP goes from "minimal risk" to "high risk" at http://trustedsource.org/ 
I of course modify the "Source Server" to that it is in the same site as the active node.
I have ptr records for each external IP that shows up in the header (regardless of which site is active)
If I fail-back to Site A everything is fine.
I do believe I have the SPF properly set and only show up as a risk on http://trustedsource.org/.  
I have checked the IP against multiple online checks - only McAfee's trustedsource has us listed.
When we contact them all they can say is that the IP is associated with a known spammer.  No other details.
Yet,, when we fail-back to site A that IP never gets listed - no matter how long we use that site.

What is going on?

Thank you for your time in advance!

-KB
0
Comment
Question by:K B
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40405626
Perhaps SITE B had hosted a spammer in the past, see if you can get another ip address for site B
0
 
LVL 8

Author Comment

by:K B
ID: 40405688
Thank you for your reply.

It's a block of listed "low risk" IPs (for SITE B) I have at my disposal. They haven't been utilized in over 5 years.  

I did swap out the IP for another fresh "low risk" IP. Once again, one week later it was listed as "high risk".

The original IP I used on SITE B is now down to "Low Risk" yet again.  It must be something we are doing with the IP as opposed to what others may have done with them in the past.  The confusion is around the fact that we are doing the very same thing that we do in SITEA that we do in SITEB.

I just requested the client provide a full list of all servers that are using Exchange as a relay.  I wonder if they are using the IP of the passive sites HT/CAS & if that would cause an issue.  Not sure how it would though. The SPF and PTR records are in place.

Any help would be greatly appreciated.

-KB
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40407320
If the address hasn't been used, then suddenly starts sending out email, then that would raise a flag. It has no reputation to build on, so the risk assessment algorithms don't know if it is legitimate or not. Once the reputation starts to build up then it will become less of a risk.

Simon.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 8

Author Comment

by:K B
ID: 40407358
Simon,
Thanks for your reply.
The problem seems to be that mail does not reach their intended recipients during this time of "high risk".  How do we move past that?
-KB
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40407364
No idea. I don't use McAfee's services.

I check my own IP address and that is flagged as high risk as well, and I have no problems sending email to my clients. I checked a few other clients and those are fine as well.

Are you sure that it is the McAfee service that is being used to block the messages?

Simon.
0
 
LVL 8

Author Comment

by:K B
ID: 40407377
Yes and the recipients are companies like ATT.com
Not all domains are affected but ATT.com is huge for this client.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40407402
Not being in the USA, AT&T is not a company I have anything to do with.
The last I heard they used their own blacklists (as most major email providers do).
http://rbl.att.net/block_inquiry.html

If you are getting blocked by the provider they should tell you why.

The only suggestion in this scenarios is to route email out through another service or server that is trusted. You have no way of knowing why the address is listed as high risk, as the providers are not going to say.

Simon.
0
 
LVL 8

Author Comment

by:K B
ID: 40407434
Simon,

That AT&T link is terrific - Thank you!

So on the same page that you see your rating (for example: http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=8.8.8.8) you can click the "threat feedback" link - it looks like a breadcrumb link - and you can submit a case stating your email (rejections) are a false positive.  

I did so that very day but the customer wanted to fail-back to the site that never experienced the issue - who can blame them.  

So I am unsure if my "feedback" will stick if we fail-over yet again.  
They ask for your email but I have yet to receive a reply.  
Though they do say:

Threat Feedback
Your request has been submitted.. Our email response charter is 24-48 hours (Monday-Friday).

Thank you,
McAfee Customer Service Team
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question