Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 16243 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Difference between "Check for RBL" and "Verify Sender’s IP Reputation"?

dja

What's the exact difference between them both (in MTA mode)?

  • Email > Policies > $policy > Spam Protection > Check for RBL
  • Email > General Settings > SMTP Settings > Verify Sender’s IP Reputation

 

From my understandig, both check the IP address of the sender. One is per policy, one is global.

At the RBL check, you can define the RBL lists. What mechanism (or list?) is used to verify sender’s IP reputation?

 

Thanks,

Daniel



This thread was automatically locked due to age.
Parents
  • 0

    Daniel,

    When real-time blackhole lists are enabled, external IP reputation databases are used to determine if the sending server is a known spammer. I believe the default RBLs used are at least these were used in Sophos SG UTM 9:
    • CYREN IP Reputation
    • cbl.abuseat.org
    Yes, you can also configure additional RBLs to use.

    Note that the difference between the premium and standard RBL services you see are that with premium no false positives are expected, and with standard some false positives may be possible.

    With IP reputation enabled you can choose to reject, accept or drop emails that are being sent from known spam senders. By doing this during the message transmission, you can reduce the processing that Sophos XG Firewall is required to do.

    The XG Firewall can also verify if the recipient email address is valid by using an SMTP query to the recipients mail server. If the email address is incorrect, the email will be rejected causing a bounce message to the sender. This reduces the load on XG Firewall as it does not have to process the email, and it provides senders, including customers and valued partners, with an instant response if they mistype your email address. If the email address is valid, the message is processed for spam and viruses as normal.

     

    Hope this steers you in the right direction!

     

    Regards,

     

    Firewalls.com Inc.

    Get Secure. Stay Secure.

    www.firewalls.com

  • 0 in reply to Firewalls.com Inc

    Firewalls.com Inc said:

    Note that the difference between the premium and standard RBL services you see are that with premium no false positives are expected, and with standard some false positives may be possible.

     

    I wonder who decides which are premium and which are standard? Or does the appliance behave different regarding the list you put the RBL service in?

  • 0 in reply to Jelle

    Jelle,

     

    These RBL Services can be modified. By default the Premium RBL Services uses bl.spamcop.net and the Standard RBL Services uses dnsbl-1.uceprotect.net. We can only choose a single Sender Remote Blacklist Group per SMTP Scanning Policy. Our SMTP Scanning policy defines the criteria which must be met such as email address/domain group sender/receiver, filter criteria such as source/destination IP's/networks in order for the action to take place.

     

    Regards,

     

    Firewalls.com Inc.

    Get Secure. Stay Secure.

    www.firewalls.com

Reply
  • 0 in reply to Jelle

    Jelle,

     

    These RBL Services can be modified. By default the Premium RBL Services uses bl.spamcop.net and the Standard RBL Services uses dnsbl-1.uceprotect.net. We can only choose a single Sender Remote Blacklist Group per SMTP Scanning Policy. Our SMTP Scanning policy defines the criteria which must be met such as email address/domain group sender/receiver, filter criteria such as source/destination IP's/networks in order for the action to take place.

     

    Regards,

     

    Firewalls.com Inc.

    Get Secure. Stay Secure.

    www.firewalls.com

Children
  • 0 in reply to Firewalls.com Inc

    Well, I can choose more on our XG...?!? Or did I misunderstand you?

     

  • 0 in reply to Jelle

    They've moved some things around in the SFOS 17.0.5 MR-5. My apologies, in the previous version you could add and edit Sender Remote Blacklist directly from within the SMTP Scanning Policy. Looks like we now have to create the objects then we can add them to the SMTP Policy when Spam Protection is enabled.

    Screen shot demonstrates where to add the RBL Group where we can create new groups or edit the pre-built service groups in the new SFOS 17.0.5 MR-5

    Premium RBL Services
    RBL (IPv4)
    Premium RBLs. No false alarms expected.

    Standard RBL Services
    RBL (IPv4)
    More RBLs. False alarms are possible.

     

    Regards,

     

    Firewalls.com Inc.

    Get Secure. Stay Secure.

    www.firewalls.com

     
  • 0 in reply to Firewalls.com Inc

    Yes, and still I wonder who decides which are premium and which are standard? We ourselves... OK. But how do we know? From testing and playing around?

    Maybe it's only the names and descriptions given by Sophos which are confusing me and I should forget about premium and standard.

     

    By the way. If senders IP reputation is also based on this as described above, where is this reputation taken from as I can't select one ore more blacklists for this feature?