Reputation Filtering Rejecting a valid Host

Similar Messages

• Recent decrease in Reputation Filtering

  Beginning yesterday (Nov 13) at about 17:00 eastern time, we have seen a drastic decrease in messages stopped by Reputation Filtering and an large increase in Spam Detected. The drop is from about 97% to 89%. Spam Detected has risen from 1.4% to 7.6%
  Anyone else seeing this occur? We are using V5.1.2 of AsyncOS.

  The efforts of security researchers have resulted in Mc Colo's hosting service being stopped, and this has resulted in far less spam being sent. :) However, it won't last long. Witihin a couple of wweks, the spam levels will be back to usual...
  http://www.eweek.com/c/a/Security/Notorious-Web-Hosting-Service-Linked-to-Spam-Campaigns-Goes-Offline/
  http://www.senderbase.org/home/detail_spam_volume?displayed=lastmonth&action=&screen=&order=
  Which is about now.. I can point to www.senderbase.org and more specifically to : http://www.senderbase.org/home/detail_spam_volume
  looks like spam has returned to its "normal" volumes.

• Bypass reputation filtering

  Dear All
  i am a new user for ironport, would like to check with you all how do i set bypass a few domain from reputation filtering. There are a few client facing a problem sending mail to us was block my reputation filtering. the problem is sender mail was hosted by someone, and the sending IP is dynamic. please advice.
  regards
  Anthony

  In addition, I wanted to add to the post, on how to best detect what hostname/domain/ip address to add to this sendergroup.
  Like the previous post mentioned, you'll want to create a new sendergroup and possibly label it "Bypass_SBRS_scoring". Because the mail that you're mentioning is getting blocked, you may want to position this new sendergroup above the "Blacklist" sendergroup. Note, when incoming connections occur, the HAT Overview works in a top-down environment. In other words, it will start at the top and move on down until there's a match or else go into the default of all.
  To add a domain or company as a sender in this new sendergroup, you'll need to add either the hostname, IP address, or IP address range. When you add a sender, there is a little question mark that details how you can add the sender. This is what the help says,
  Enter the hosts to add. CIDR addresses such as 10.1.1.0/24 are allowed. IP address ranges such as 10.1.1.10-20 are allowed. IP subnets such as 10.2.3. are allowed. Hostnames such as crm.example.com are allowed. Partial hostnames such as .example.com are allowed.
  How to locate the hostname or IP address of a sender
  - When customers have difficulty obtaining the hostname or ip address of a sender to add to a sendergroup.
  - Trying to obtain the SBRS score of a connecting server
  How to search in the logs for the IP or hostname of a sender:
  You want to find out the IP address or hostname of the sender called of the sender called "[email protected]".
  1. From the command line, type:
  ironport> grep -i "test.com" mail_logs
  Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from
  2. Then search for the "MID 28"
  ironport> grep -i "MID 28" mail_logs
  Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
  Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
  Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
  Fri Sep 7 10:06:13 2007 Info: MID 28 Subject 'testing 123'
  Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from
  Fri Sep 7 10:06:13 2007 Info: MID 28 matched all recipients for per-recipient policy DEFAULT in the inbound table
  Fri Sep 7 10:06:13 2007 Info: MID 28 interim verdict using engine: CASE spam negative
  Fri Sep 7 10:06:13 2007 Info: MID 28 using engine: CASE spam negative
  Fri Sep 7 10:06:13 2007 Info: MID 28 interim AV verdict using Sophos CLEAN
  Fri Sep 7 10:06:13 2007 Info: MID 28 antivirus negative
  Fri Sep 7 10:06:13 2007 Info: MID 28 queued for delivery
  Fri Sep 7 10:06:14 2007 Info: Delivery start DCID 477 MID 28 to RID [0]
  Fri Sep 7 10:06:14 2007 Info: Message done DCID 477 MID 28 to RID [0]
  Fri Sep 7 10:06:14 2007 Info: MID 28 RID [0] Response 'ok: Message 57897990 accepted'
  Fri Sep 7 10:06:14 2007 Info: Message finished MID 28 done
  3. From the MID output, you grep for the ICID to get the hostname or IP address of the connecting server.
  ironport> grep -i "ICID 10" mail_logs
  Fri Sep 7 10:05:42 2007 Info: New SMTP ICID 10 interface Management (172.19.0.146) address 10.1.1.209 reverse dns host outgoing232.ispserver.com verified yes
  Fri Sep 7 10:05:42 2007 Info: ICID 10 ACCEPT SG SUSPECTLIST match 10.1.1.209 SBRS 1.2
  Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
  Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
  Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
  Fri Sep 7 10:06:14 2007 Info: ICID 10 close
  4. The information that I have put in BOLD above displays the information that you want.
  The IP address is: 10.1.1.209
  The hostname of the connecting server is: outgoing232.ispserver.com
  The SBRS score of the connecting IP is: 1.2
  The sendergroup that was matched was: Suspectlist
  172.19.0.146 is the IP of your Ironport appliance.
  So, if you wanted to whitelist the sender, [email protected] or test.com, you would add any of these to the Sendergroup:
  10.1.1.209
  outgoing232.ispserver.com
  .ispserver.com
  Use ".ispserver.com" when there are multiple outgoing servers and you want to wildcard them.

• A "Web Reputation Filters" key was downloadedfrom the Cisco Ironport key server.....

  Recently we received an alert from our Ironport S370 appliance indicating that a new Web Reputation Filters key had been downloaded and placed into the pebnding area: EULA acceptance required. This key shows a 256 days validity however our current key still has 250 days left on it..... Why would a new key be downloaded when the old one still has so much time left on it? My undestanding is that a key is just used to enable a feature but being that the feature is already enabled and has several months of validity why would a new key be needed? I find it a little strange.
  Thanks

  When Web Reputation Filters (WBRS) expired, all web sites that accessed using WSA as Web proxy will not get any reputation score and the filtering in WSA policies based on reputation score will not function therefore if for example accessing web site that has bad reputation score and should be blocked automatically by WSA when WBRS in functioning will not happened and all sites will be accessible without reputation score filtering (expose threats and strongly recommend to validate the feature keys).

• MARS 6.0.4 reporting for IPS 7.0 Global Correlation Reputation Filtering

  Does anyone know if there is a report available in MARS to see what IP addresses were denied by Reputation Filtering on IPS 7.0?
  I found a report that shows attacks that were prevented due to global correlation score, but not for packets denied by Reputation Filtering.
  Replies are greatly appreciated.
  Thanks,
  Mark

  Thanks for the reply, but what I am looking for is reporting on what packets were dropped with Reputation Filtering(doesn't have a report in MARS) Not the GLobal Correlation risk rating blocks(Which does have a report available in MARS).

• Global correlation / reputation filtering in monitoring mode

  We use Cisco appliances primarily in monitoring mode.  We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc).  Is it even possible to use either of these features for this purpose?  According the the following document is appears there may not be alerts for packets denied before signature analysis.  Surely that can't be???
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1067283
  "Note This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched. It does not apply to reputation filtering where the packet is denied before signature analysis, and no alerts are generated when packets are denied by reputation filtering. "

  Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet".   Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still works this way? I'm sorry to sound like an arse, but I am so completely frustrated with the value we get out of these appliances.  Apparently, the ASA botnet functionality can do what we want, but not the stand alone IPS appliance....come on Cisco.

• Counter changed in 6.0.0-745 for 'Reputation Filtering'?

  After upgrading to 6.0.0-745 we noticed that the amount of incoming mails for 'Stopped by Reputation Filtering' is 3 x higher then before with version 5.5.1-011.
  We can see the jump to the 3x higher level for the time after the upgrade.
  We have checked the 'Configure Sender Reputation Multiplier' in the CLI, but this value is still on 1.
  Has something changed on counting this number?

  After the upgrade on the second machine, we can see this behaviour again. Maybe this picture can help to understand:
  [URL=http://img393.imageshack.us/my.php?image=67250759li9.jpg][img:614f2a26ad]http://img393.imageshack.us/img393/3057/67250759li9.th.jpg[/img:614f2a26ad][/URL]
  We can't believe, that the amount of
  - Stopped by Reputation Filtering
  and
  - Stopped as Invalid Recipients
  has more then doubled after the lunch (upgrade-time on 11.4.2008) :wink:

• Reputation Filtering

  Hi,
  Im installing an eval Ironport behind a current 3rd party MTA, which will relay all mail onto Ironport.
  My query is- can someone advise if this will affect reputation filtering, the fact Ironport receives mail from an internal address? And how best can i get around this issue?
  Cheers :)

  You can use the Ironport Incoming Relays feature to get around this.
  Basically you specify how may hops back in the header to look for the ACTUAL sender IP. This works if the number of hops is always going to be consistent.
  If the hops aren't a consistent predictable number then you will have to insert a custom header at your third party MTA if possible.
  This is all documented in the Basic User Guide, or online here: https://support.ironport.com/docs/c_series/5.1/HTML_5.1_Compilation/Basic_Guide/wwhelp/wwhimpl/common/html/wwhelp.htm?context=Basic_Guide&file=antispam.14.5.html
  :-)

• My iCal rejects my valid password. Why?

  Why does my valid password keep getting rejected?

  Either reset your password on the Microsoft exchange. Or restart ipad by holding power button then a slide comes up saying slide to power off do it and wait then turn it back again.

• Rejects my valid original Serial Number when trying to install update

  I have Logic Pro 8.0.2 installed with a valid serial number. Now I am upgrading to Logic Pro 9 and when I enter the new serial number it asks for the original. That's good - it means that the new serial number is accurate and wanting my original to verify my copy. When I enter the original, it always comes back as an invalid serial number. I have verified it is correct with others' eyes and reading it back etc - no go. My original is an Academic version - does that mean anything? But even so where do I go for help? I don't seem to see anything at the Apple website to direct me for help other than this discussion forum.
  Where do I go for help getting this resolved short of taking my 24" iMac into an Apple store with my serial numbers in hand? TIA

  smidi wrote:
  My original is an Academic version - does that mean anything? But even so where do I go for help?
  Hi
  My understanding is that 'Academic' versions cannot be upgraded. You may need to purchase the full version. I suggest a quick phonecall to the Applestore to verify.
  CCT

• My Adobe Creative Suite CS5 download rejects my valid serial key. What must I do?

  Hello everyone,
  I have a legitimate serial key for Creative Suite CS5. Because I once lost my CD's Adobe sent me a download link to download the suite which worked then, but now I have a new laptop which doesn't have a CD-rom drive, so I tried to download these links again. Now I get the message that my serial key is invalid. I have had contact with customer support and they verified that my serial key is valid and then I was sent to the forum to ask how to continue.
  Prachi: I see that as it is the old product, you need to visit our Adobe Forum to troubleshot the issue.
  I kindly await your response.
  With kind regards,
  Joost Dingemans

  I have a legitimate serial key for Creative Suite CS5.
  Let's start with the basics:
  Which Creative Suite CS5?
  Adobe Creative Suite 5 Design Premium
  Adobe Creative Suite 5 Design Standard
  Adobe Creative Suite 5 Production Premium
  Adobe Creative Suite 5 Web Premium
  Adobe Creative Suite 5 Master Collection
  Windows or Mac?
  Have you downloaded the correct installer for the correct product?
  Download CS5 products

• Data filtering based on validation for SAP MDM

  Hi Experts,
  My requirement is to filter data coming in to MDM via PI so that only those records are posted to MDM which pass that logic.
  I guess validation in PI can filter data based on logic defined.
  Please guide me how to achieve this.
  Thanks,
  Ravi

  refer below link and write a condition in receiver determination and select ignore message option(when no receiver found).
  http://wiki.sdn.sap.com/wiki/display/XI/XpathConditioninReceiverDetermination
  Regards,
  Raj

• One feed rejected despite validating, other feed image not showing

  Hi there. I have two problems:
  1. The podcast feed at http://planetnerd.tv/category/segments/?feed=podcast has been rejected by iTunes twice but I can't find the problem. It validates correctly:
  http://feedvalidator.org/check.cgi?url=http%3A%2F%2Fplanetnerd.tv%2Fcategory%2Fs egments%2F%3Ffeed%3Dpodcast
  2. The podcast feed at feed://planetnerd.tv/category/episodes/?feed=podcast was accepted but the artwork isn't showing up. Check it out at:
  http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=259736295
  Help would be much appreciated. I am using PodPress on Wordpress 2.2.1.
  As a feature request, it would be great if the "feed rejected" emails from iTMS contained some extra information about why it was rejected.
  Thanks,
  Dan
  MacBook Pro   Mac OS X (10.4.10)   2 GB RAM
  MacBook Pro   Mac OS X (10.4.10)   2 GB RAM

  just a guess, but perhaps it thinks for some reason that these are duplicate feeds...since many of the channel items are the exactly the same (description, subtitle, etc..) maybe make them more specific to the feed contents. Probably doesn't matter too much but perhaps taking out the special character from the title (the >>) might help things along. Perhaps just making it Planet Nerd: Episodes and Planet Nerd: Segments might avoid the potential for some problems.
  As for the artwork...based on the number of complaints from others as well...I can only guess that there must be a problem with the iTunes database or it's really backlogged from the recent submission problems. Not much us podcast creators can do but wait for the iTunes folks to fix it or for it to work its way through a backlog.
  Erik

• Ibook Author audio (AAC) media widget rejected in validation??

  We have a complex image, video and music book from the Arctic created on ibooks author.  Everything seems to validate through itunes producer on delivery except for this error message.
  ERROR ITMS-9000: "Files of type audio/x-m4a are not allowed outside of widgets: assets/media/Arctic_master_music.m4p" at Book (MZItmspBookPackage)
  We've done everything in widget sizing, placement, audio encoding to aac from QT, itunes and compressor.  We can't get past there error?  Is there a bug in the ibook author or am I missing someting.
  Any ideas.  The videos work fine, just the audio clip/
  richard

  John, as you can see by my previous response we haven't solved the audio error ITMS-9000, audio outside of widget. But we haven't forced the issue as of late.
  We had so much video with audio, that we pulled the page with the music pieces.  Our idea was to see if the book without the error on the audio would pass and it did.  We had to make some other corrections and link fixes, but the video and images all passed.  I was impressed that someone was actually going through page by page.
  So once the book is up, we're going to start with the music (audio only) from scratch, strictly following  the process that apple outlines.  We will resubmit it and if it won't pass the error, then I have only one specific issue for myself and apple to deal with.  I have a feeling it's something I'm doing in the music conversion, but we've compressed it from QT, from iTiunes and from compressor following their guidelines all with the same error of this audio placed within their media widget.  Now maybe with their recent ibook author updates things have been fixed.  See I have this little feeling it's a bug in ibook author compiler. But over many years where I jumped out and blamed someone and been wrong, I have to be sure it's me and not them.
  So if anyone has had success in audio only book elements placed in ibook author media widget and successfully got it published, tell us your secret.  Please. Or if others are having the same issue, then we need together to find an answer quickly.
  Once I find the answer on this issue I'll be sure to post the steps to our success.

• This certificate is not valid (host name mismatch)

  How do I fix this error message? Safari can't verify the identity of the website ....keeps saying the certificate in invalid.

  Normally a button appears "Trust..." (can´t remember what does it say exactly).
  And there's also an option to always trust the certificate.