Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 1 subscriber
  • Views 10205 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V8 RBLs

JonEtkins
Looking at the SMTP Log in Mail Manager on my newly-upgraded ASG V8, I see RBL rejection messages citing black.rbl.ctipd.astaro.local and grey.rbl.ctipd.astaro.local.  I presume these are composite RBLs used internally by the ASG, but my question is: if a valid recipient finds himself being rejected, how can he (or I) now find out which actual RBL caused the rejection?


This thread was automatically locked due to age.
  • 0
    You should be able to see this in the SMTP log.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Never mind - I looked more closely at the SMTP log and I can see that the underlying RBL is referenced in the reject message.
  • 0 in reply to JonEtkins
    Was it a false positive?  Some folks noted problems with the CommTouch RBL during the beta.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    No, it was a hypothetical. [:)]
  • 0 in reply to JonEtkins
    Never mind - I looked more closely at the SMTP log and I can see that the underlying RBL is referenced in the reject message.


    How did you find the underlying RBL. I have non-spam mail being rejected by grey.rbl.ctipd.astaro.local, I assume the local copy of the RBL is actually take from other sources, however when I check the incoming email IP against a blacklist checker it doesn't find it listed.

    This also leads to my next question of how often are the local copies of the RBL updated? Can you trying off the local RBL and just use the external reference list?
  • 0
    I don't think there's any caching or copying of RBL information locally.  It looks like you might have greylisting enabled, and that can cause problems with email from companies with incorrectly configured mail servers.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Lemo
    How did you find the underlying RBL. I have non-spam mail being rejected by grey.rbl.ctipd.astaro.local
    I should have mentioned earlier, the answer lies in the real SMTP log, not the glossy expurgated version visible on the Mail Manager page.
    2010:08:02-10:16:12 astaro exim[4956]: 2010-08-02 10:16:12 SMTP connection from [205.162.42.155]:40419 (TCP/IP connection count = 2)
    2010:08:02-10:16:13 astaro exim[27147]: 2010-08-02 10:16:13 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="205.162.42.155" from="TechTarget%40techtargetlists.com" to="***%40snikte.net" size="-1" reason="rbl" extra="grey.rbl.ctipd.astaro.local"
    2010:08:02-10:16:13 astaro exim[27147]: 2010-08-02 10:16:13 H=techtargetlists.com [205.162.42.155]:40419 F= temporarily rejected RCPT : Delivery from 205.162.42.155 is deferred. Send again or check at Check IP Reputation | Commtouch - Messaging and Web Security Technology. Reference code: tid=0001.0A090302.4C56E13D.00EA
    2010:08:02-10:16:13 astaro exim[27147]: 2010-08-02 10:16:13 unexpected disconnection while reading SMTP command from techtargetlists.com [205.162.42.155]:40419
  • 0
    reason="rbl" extra="grey.rbl.ctipd.astaro.local"

    F= temporarily rejected RCPT : Delivery from 205.162.42.155 is deferred.

    This message was greylisted.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I beg to differ, Bob.  The terminology is confusing, but it appears that ASG uses the name grey.rbl.ctipd.astaro.local to refer to hosts that Commtouch classifies as "low risk", and black.rbl.ctipd.astaro.local to refer to their "high risk" hosts.

    Compare the previous temporary rejection response with what occurs when the ASG's real Greylisting kicks in: 
    2010:08:02-04:21:50 astaro exim[4956]: 2010-08-02 04:21:50 SMTP connection from [206.213.209.31]:19534 (TCP/IP connection count = 1)

    2010:08:02-04:21:51 astaro exim[10894]: 2010-08-02 04:21:51 1OfrDT-0002pi-0B ctasd reports 'Unknown' RefID:str=0001.0A090206.4C568E2F.00DC:SCGSTAT540547,ss=1,fgs=1024

    2010:08:02-04:21:51 astaro exim[10894]: 2010-08-02 04:21:51 1OfrDT-0002pi-0B Greylisting: Greylisted 206.213.209.31

    2010:08:02-04:21:51 astaro exim[10894]: [1\18] 2010-08-02 04:21:51 1OfrDT-0002pi-0B H=w7p.aetna.com (winpironport2.aetna.com) [206.213.209.31]:19534 F= temporarily rejected after DATA: Temporary local problem, please try again!
  • 0
    Apropos of this, I'm not really comfortable with some of Commtouch's classifications, and I'm thinking of overriding my RBL's back to Spamhaus.
Cookie Information Banner