Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

IP Reputation Check vs. IP Reputation Lookup

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

today a customer reported that he was missing incoming mails on his Hosted Email Security. I had a hunch that it was because of some reputation from the senders IP address, sadly HES isn't reporting this, but my ESA did.

The Connection Log on the ESA showed the message from the same sender as blocked with IP Reputation. But when I'am checking the address via the IP Lookup provided by SNWL it isn't listed?

What's the logic on this? I'll probably end up in a support case for that.

--Michael@BWC

Category: Email Security Appliances
Reply

Answers

  • David WDavid W SonicWall Employee

    @BWC The link in question does not check every database we use for IP Reputation.

    I does need to be updated and I will discuss it in one of our next meeting.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @David W yes indeed, this would be helpful to have consistent behaviour between on-appliance and external lookup. Thanks for taking care.

    --Michael@BWC

  • I often found IP address blocked by IP Reputation.

    Checking those IP from IP Reputation Lookup always "Not Listed". Also check on MX toolbox, No blacklist at all..

    It is quite annoying that I have to submit support case every single time of these false positive case.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @David W any news on that, how did the discussion go?

    Today Notification Mails from the Bavarian Vaccination Centers getting blocked, due to IP Reputation, which is wrong on all levels and has real impact.

    Any other IP Reputation Check (mxtoolbox, Cyren, Cisco, etc) says "No risk" or gives a good score. How came SNWL to the conclusion that the IP 94.199.93.161 has a bad reputation?

    Now I have to open another ticket to get this whitelisted, but what about the other addresses which might be listed as well? I have no option to check them. I need to tell every customer to whitelist the sender domain due to bad judgement.

    _spf.general.transactional-mail-a.com. 21451 IN TXT "v=spf1 ip4:94.199.92.0/23 ip4:103.196.252.0/23 ip4:185.93.140.0/22 ip4:185.215.216.0/22 ip4:207.126.136.0/22 ip4:199.204.12.0/22 ip6:2a02:7b01:0:42::1:0/114 ip6:2a02:7b01:1000:42::1:0/114 ip6:2a02:7b01:2000:42::1:0/114 ip6:2a02:7b02:2000:42::1:0/114 ip6:2" "a02:7b02:0:42::1:0/114 ip6:2a02:7b03:0:42::1:0/114 ~all"

    --Michael@BWC

  • LarryLarry Cybersecurity Overlord ✭✭✭

    @BWC - Michael, please escalate this with your account manager after you get a case number.

    I can't empathsize with you enough on this one - it is absolutely horrifying.

  • David WDavid W SonicWall Employee

    @BWC Please keep in mind that there are 2 kinds of IP reputation.

    One that blocks the connecting IP and one that considers the sending IP to be spam.

    Appears this was sent into our systems as spam on Nov 2020.

    For now I greylisted that IP but in the future for something like this you can always add teh sender IP to teh allowed list, the Connection Management>allowed IP list and also the Trusted Networks list as well.

    Most all of these will work depending on the type of thumbprint.

    You don't have to raise a support request all the time on these.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @David W first of all, Mails are going through now, thanks for that.

    Of course I can put the address on the allowed list, but this be would just for me. I would have to put them on ALL appliances of my customers, so a more general approach is required, which ends up in a support ticket to get them whitelisted, right?

    It would be great to put some whitelists in consideration for the score, like dnswl.org or a custom realtime list. In that case I could provide a DNS zone for my customers to whitelist IPs globally.

    --Michael@BWC

Sign In or Register to comment.