Jump to content

ESET Mail Security quarantines email from provider as SPAM


Recommended Posts

Hi,

We recently had to whitelist emails from one of our providers ( falconmx.com ), because Mail Security detected it as SPAM. The reason was "IP (138.128.164.234) found on cloud black list 1". What exactly is "cloud black list 1"?
If i do a blacklist check for that domain, it seems to be only listed on the UCEPROTECTL3, which lists entire ISPs for "bad reputation". But no one should block an email only because of that. Some of that lists are more important than others. A list of domains caught sending SPAM (for example, by spamtrapping) should be a lot more important than a list of ISPs with bad reputation, or lists of alledgedly dynamic IPs (in fact, only the ISPs themselves know which of their IP ranges are dynamically assigned). There are many companies with legitimate mail servers whose ISPs have "bad reputation".

We considered adding it to "Ignored Domain to IP list", but the list description looks confusing: "List of domains that resolves to IP addresses which in turn will not be checked during classification. SPF records are being recognized when resolving IP addresses". What does "not checked during classification" means? How is "not checked" different from whitelisted? If only some of the tests are skipped, which tests are skipped, and which ones do still run?

Regards

Link to comment
Share on other sites

  • Administrators

Please re-check, the IP address doesn't seem to be currently blacklisted:

Sender's IP "138.128.164.234" is classified as OK.

Link to comment
Share on other sites

  • ESET Staff
16 hours ago, frapetti said:

What does "not checked during classification" means? How is "not checked" different from whitelisted?

IP addresses found on "Ignored IP List" will be skipped during classification, the rest of the email will be still checked.

When IP is whitelisted, the whole email is automatically considered as ham.

Link to comment
Share on other sites

Posted (edited)
22 hours ago, Marcos said:

Please re-check, the IP address doesn't seem to be currently blacklisted:

Sender's IP "138.128.164.234" is classified as OK.

Thanks. Since i whitelisted the domain, no messages from them were quarantined anymore.

6 hours ago, M.K. said:

IP addresses found on "Ignored IP List" will be skipped during classification, the rest of the email will be still checked.

That means that ESET will take no action based on the IP address of the sender, but still perform all other spam checks on the message contents? Then i assume that any blacklist check is not performed?

Edited by frapetti
Link to comment
Share on other sites

Posted (edited)

Now I see that ESET is also quarantining mails from the accounting firm: estudio-santoianni.com.ar

The reason, is: "IP (190.61.219.106) found on cloud black list 1".

I even added the domain to "approved domain to IP list" and to "ignored body domain list", but it's still getting quarantined. How is that possible?

Edited by frapetti
Link to comment
Share on other sites

  • Administrators

The IP address is not blacklisted at the moment:

Sender's IP "190.61.219.106" is classified as OK.

@M.K.might want to comment on the exclusion "Approved domain to IP list".

Link to comment
Share on other sites

  • ESET Staff
On 3/31/2021 at 3:09 PM, frapetti said:

That means that ESET will take no action based on the IP address of the sender, but still perform all other spam checks on the message contents? Then i assume that any blacklist check is not performed?

First question - yes, exactly.

Regarding the blacklist check - if the IP is on Ignored list, then no checks are performed with the IP, including neither cloud nor local blacklists. But the email could be, for example, marked as spam due to the blacklisted domain in the message body.

Link to comment
Share on other sites

  • ESET Staff
23 hours ago, frapetti said:

I even added the domain to "approved domain to IP list" and to "ignored body domain list", but it's still getting quarantined. How is that possible?

EMSX tries to resolve as many IP addresses associated with that domain as possible - using A, MX, and SPF records. All resolved IP's could be checked in the Edit dialog in Advanced settings.

If the IP is on the list (approved domain to IP list) and the email is still being marked as spam, please submit a support ticket so we can have a look at it.

Link to comment
Share on other sites

On 4/1/2021 at 11:51 AM, M.K. said:

First question - yes, exactly.

Regarding the blacklist check - if the IP is on Ignored list, then no checks are performed with the IP, including neither cloud nor local blacklists. But the email could be, for example, marked as spam due to the blacklisted domain in the message body.

Very clear, thanks. It should be explained like this on the help pages.

On 4/1/2021 at 11:54 AM, M.K. said:

EMSX tries to resolve as many IP addresses associated with that domain as possible - using A, MX, and SPF records. All resolved IP's could be checked in the Edit dialog in Advanced settings.

If the IP is on the list (approved domain to IP list) and the email is still being marked as spam, please submit a support ticket so we can have a look at it.

It seems like their email provider is sending from an IP (190.61.219.106) not associated with estudio-santoianni.com.ar in DNS. I advised them to discuss this with their email provider.

Still, i thought that adding the domain to the "ignored body domain list" would allow mails coming from any @estudio-santoianni.com.ar addresses to go through, regardless of the sending IP address, but it still gets quarantined. I thought that it was a simple string check, but agains what field(s) is EMSX checking the domains from this list? Against the sending email address? or "received: from" records? or maybe somewhere else? How does this list work, exactly?

Regards

Link to comment
Share on other sites

By the way, the reason, is still: "IP (190.61.219.106) found on cloud black list 1". Are you sure that this IP is NOT blacklisted? If so, then how can this be the reason?

I recently updated to EMSX 7.3.10011.0 , if that's of any help.

I opened a support ticket with zma.la , but i could open a ticket with ESET directly, if you give me instructions on how to do that.

Link to comment
Share on other sites

  • Administrators
15 hours ago, frapetti said:

By the way, the reason, is still: "IP (190.61.219.106) found on cloud black list 1". Are you sure that this IP is NOT blacklisted? If so, then how can this be the reason?

It shouldn't be the reason:

Sender's IP "190.61.219.106" is classified as OK.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...