Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 32 subscribers
  • Views 47579 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Scanning - Sender IP address is blacklisted

OliverKnights

Hello,

 

I am currently getting quite a few emails suddenly being blocked and the email log is showing 'Sender IP address is blacklisted'. Yet when i check the IP's against the mx toolbox blacklist check they aren't on any of the lists.

Is there a better log i can look at that will show me what RBL list returned the ip as being on a blacklist?

 

Regards

Oliver Knights



This thread was automatically locked due to age.
  • 0 in reply to lferrara

    Has the URL changed?

    https://www.sophos.com/en-us/threat-center/ip-lookup.aspx

    It just takes me to the labs homepage. I cannot find an alternative.

    (Trying to investigate a lot of "Sender blacklist" quarantine in SEA.)

     

    Best regards

  • 0 in reply to Tony Smith2

    Have a look at which RBLs you have enabled in your smtp filtering, you can then go an investigate directly and see which one is causing a problem.

    I have disabled the “standard rbl” included with a default install of XG as it was identifying the forum emails as spam (fixed now).

    I now use barracuda RBL as my primary and the default “premium” rbl which is spamcop!

  • 0 in reply to lferrara

    Sophos you got multiple documentations pointing to this non existent IP lookup tool, or "sender genotype test". Neither of which i can find anywhere.

     

    https://community.sophos.com/kb/en-us/114057

     

     

    Did you depreciate this tool and not update any documentation? I have an external party that when they forwarded me the bounce says "Sophos Anti Spam Engine has blocked this Email because the sender IP Address is blacklisted." However because of the extremely small 1100 events limit that the log on the firewall has, i cant even see results from this morning...

     

    I obviously ran their domain through a blacklist checker so i could blame the external party and not have to deal with it, but they are simply not listed in any blacklist.

     

    I am now attempting to whitelist their domain under Protect -> Email -> policies but this seems like a headache. I just want to know why they are blocked. I have several blocklists enabled on the firewall but like i said, i scanned and their mailserver isnt in any of them.

     

    Is there no way to see the result of an IP or domain through sophos firewall console directly? no query provided to me the same way the firewall queries? It seems to have previously existed.

     

    I am looking for why this has occurred, are they being legit blocked or is it a false positive. Please let me know how i can determine this, keeping in mind that a blacklist checker such as https://mxtoolbox.com/blacklists.aspx does not see them as being blacklisted.

  • 0 in reply to givemecontrol

    Any solution here? I'm having the exact same issue. Checked my mxtoolbox, check Sophos IP reputation. All clear but some servers are being blocked due to being blacklisted.

  • 0

    Howdy,

    Saw something similar recently myself.

    In a nutshell the receiving party is verifying the sender address by connecting back to your sender domain's mail server (e.g. the Sophos XG acting as the domain's mail server) and attempting to deliver a null message to the sender address. The problem is that the receiving party is using an outbound server that's most likely in in the UCEPROTECT-L1 blacklist (it was in my case).

    The workaround is to either remove the dnsbl-1.uceprotect.net entry from the Standard RBL Services list (preferable - this entry has caused more grief than good over the years), or create a mail scanning exception to skip RBL checks for the outbound server IP in the UCEPROTECT-L1 blacklist. Assuming that the UCEPROTECT-L1 blacklist is the problem.

    You will also need to use the Log Viewer, go to Firewall and filter on inbound SMTP connections, as the Sender IP address won't show in either the Mail Logs view or in the Mail section of Log Viewer. I had to make a note of the timestamps in the Mail Logs view, then correlate them in Log Viewer. Which is a reminder that Log Viewer is still pretty bad at providing transparency of the raw log files stored on the XG.

    Hope this helps work out your specific issue with the 'Sender IP address is blacklisted' problem.