Highlighted
JvdMeij Regular Contributor.
Regular Contributor.
368 views

IP reputation tempfail

Jump to solution

 Hello,

I have IP reputation service enabled in SMG. Our mail is delivered to external servers (the MX records) and then delivered at our mail server.  This is created to be able to do maintenance jobs on the network. Mail will still be received during maintenance hours and will be delivered once our own mailsystem is online again.

But now I often see in the SMG smtp logs: temporary rejection [IP reputation tempfail]. The IP address listed here is the IP address of the external server.

I made an IP address exception in the Scan filter configuration. But apparently that does not work. Still the same tempfails. Some messages are delayed several hours because of this.

What am I doing wrong?

 

 

0 Likes
1 Solution

Accepted Solutions
Micro Focus Contributor
Micro Focus Contributor

Re: IP reputation tempfail

Jump to solution

@JvdMeij  IPReputation tempfail is IPReputations graylisting and can only be done on the connection drop level. That would explain why your whitelist entry didn't work, if you added it on the policy level.

I would recommend disabling this since all your email will be coming from that IP, is that correct? If so, you can disable this under Module Management | Interfaces | SMTP Interface | connection drop services. In fact I would disable IP reputation altogether here, as well as RBL. You can enable them on the policy level, since it will scan the IP's in the mime header rather than just the IP the email is from.

Otherwise, if you just want to whitelist this IP from connection drop scanning, under SMTP interfaces | Relay host proctection, you can add the IP here and check the box for Skip Conn. tests. (make sure allow relay is unchecked).

 

 

0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: IP reputation tempfail

Jump to solution

Depending on your settings SMG can reject an email if any of the SMTP servers that processed the email, not just the last one which sent it to you, have reputation issues. Perhaps you white listed the wrong SMTP server?

What version of SMG are you running?

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
JvdMeij Regular Contributor.
Regular Contributor.

Re: IP reputation tempfail

Jump to solution

Rev. 721, latest version.

No, I did not whitelist the wrong IP.

[140667284088576] 2019-08-02 10:01:55 (IPRP)<101> IP reputation tempfail record found: 94.228.129.7
[140667284088576] 2019-08-02 10:01:55 (IPRP)<101> Spam (iprep) scan x-ctch-refid:tid=0001.0A0B0302.5D43EDE2.0051
[140667284088576] 2019-08-02 10:01:55 (IPRP)<101> IP reputation located entry for address: 94.228.129.7
[140667284088576] 2019-08-02 10:01:55 (SMTP)<101> RBL connection test for 94.228.129.7 passed
[140667284088576] 2019-08-02 10:01:55 (SMTP)<101> Connection will be dropped
[140667284088576] 2019-08-02 10:01:55 (SMTP)<101> [g->c] 421 IP address 94.228.129.7 temporary rejection [IP reputation tempfail]

And this is one of the IP's that server as frontend MX records. This IP is added as IP exception. So it does not fail on an other server in the chain, but on the last.

Anyway, I don't see any option to check upstream servers.

Jan

0 Likes
Knowledge Partner
Knowledge Partner

Re: IP reputation tempfail

Jump to solution

Hi Jan,

I apologize for my previous post. You did say "IP reputation tempfail" but somehow I was thinking RBL. 😞

The IP reputation help states:

IP Reputation works much like a RBL or SURBL filter but also uses a whitelist for common message sources. IP Reputation will temporarily block messages from sources which are not found on either list. The temporary fail is performed via a connection drop. If the sending gateway repeats sending attempts, the messages will be allowed through.

For an IP Reputation filter to be effective, it needs to be utilized on the SMTP interface with both trigger options enabled. If the trigger options are disabled, the events will not cause the filter to drop the connection and block the message.

I find this description quite confusing as it can be interpreted in different ways. I will comment on that because I will be referring the SMG documentation team to my comments:

"but also uses a whitelist for common message sources". 

  • I assume whitelist is a generic reference because there is a White List exception that uses email addresses.
  • I too assume the IP Address exception is the correct one to use.

IP Reputation will temporarily block messages from sources which are not found on either list.

  • If a message isn't blocked because of an RBL or SURBL filter and an IP Reputation filter is used, the connection will be dropped temporally unless an exception has been created.

You have setup an IP Address exception and it doesn't appear to be working for you so I can only speculate as to the cause.

  • It could be due to a bug.
  • There may be some issues with how the IP Address(es) were entered into the IP Address exception.
    • One per line?
    • Extra spaces somewhere?
    • A blank line at the end?
  • Do your policies only contain a single IP Reputation filter? i.e. the one that is firing has the exception configured?
  • Have you tried to restart the appliance?

If all looks good, I don't have any other ideas so it may be time to open a Service Request.

These days, dropping a connection is a standard technique used to reduce spam. Most SMTP servers should retry the email delivery after a few minutes. If the one that forwards your email to your server doesn't retry for an extended period, it may once again experience a dropped connection. You may want to ask if that is what's happening.

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: IP reputation tempfail

Jump to solution

@JvdMeij  IPReputation tempfail is IPReputations graylisting and can only be done on the connection drop level. That would explain why your whitelist entry didn't work, if you added it on the policy level.

I would recommend disabling this since all your email will be coming from that IP, is that correct? If so, you can disable this under Module Management | Interfaces | SMTP Interface | connection drop services. In fact I would disable IP reputation altogether here, as well as RBL. You can enable them on the policy level, since it will scan the IP's in the mime header rather than just the IP the email is from.

Otherwise, if you just want to whitelist this IP from connection drop scanning, under SMTP interfaces | Relay host proctection, you can add the IP here and check the box for Skip Conn. tests. (make sure allow relay is unchecked).

 

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: IP reputation tempfail

Jump to solution

Hi Suzie,

Thanks for jumping in. Your expertise is appreciated!


@suziew wrote:

IPReputation tempfail is IPReputations graylisting and can only be done on the connection drop level. That would explain why your whitelist entry didn't work, if you added it on the policy level.

I'm not following what you say. The text I posted earlier is from the IP Reputation filter help and it says it "uses a whitelist for common message sources".  Is there another place where IP Reputation is enabled and/or white listed?


I would recommend disabling this since all your email will be coming from that IP, is that correct? If so, you can disable this under Module Management | Interfaces | SMTP Interface | connection drop services. In fact I would disable IP reputation altogether here, as well as RBL.

That makes a lot of sense. The drop connection approach has little effect other than to delay email when used on the primary email feed. Unless a firewall prevents connections from all other SMTP servers, the IP Reputation filter still has value: SMTP servers don't always use MX records. They can attempt connections using the IP address associated with the domain name or by trying random IP addresses. 

The system I'm supporting is Secure Cloud Messaging Gateway and I do not see a Module Management section. I assume this option is not available to SCMG customers? Is this enabled in the Micro Focus SCMG offering?


You can enable them on the policy level, since it will scan the IP's in the mime header rather than just the IP the email is from.

How does this improve IP Reputation? The message has already been forwarded by the other SMTP servers so the only SMTP server of consequence is the one currently attempting a connection.


Otherwise, if you just want to whitelist this IP from connection drop scanning, under SMTP interfaces | Relay host proctection, you can add the IP here and check the box for Skip Conn. tests. (make sure allow relay is unchecked).

Again, this workaround is not available to Secure Cloud Messaging Gateway customers, is that correct?

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Knowledge Partner
Knowledge Partner

Re: IP reputation tempfail

Jump to solution
@suziew

Thank you for the like.
Are you able to answer my questions?
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: IP reputation tempfail

Jump to solution

@KBOYLE wrote:
@suziew

Thank you for the like.
Are you able to answer my questions?

Sorry Kevin, I'm not very familiar with this board and missed your questions.

"I'm not following what you say. The text I posted earlier is from the IP Reputation filter help and it says it "uses a whitelist for common message sources".  Is there another place where IP Reputation is enabled and/or white listed?"  ----- IP reputation temp fail is a graylist. It's a global list shared with everyone using it. The way graylisting works is if an IP that isn't on their trusted list (what the help is referring to as a whitelist), it will temp fail it. The idea behind this is a normal server will retry and then get added to this trust list. Spammers most of the time won't retry.

 

" I assume this option is not available to SCMG customers? Is this enabled in the Micro Focus SCMG offering?" ---Correct, cloud customers don't have access to these settings, as it will affect all cloud customers. However, you can request a certain IP be added to the 'skip conn. tests' list. Yes, it is enabled on the SMG cloud servers.

 

"How does this improve IP Reputation? The message has already been forwarded by the other SMTP servers so the only SMTP server of consequence is the one currently attempting a connection."  --- You are right, it won't help having this enabled on the policy level. I was thinking of RBL where it will scan the other IP's in the header. IP rep will only scan the original IP.

 

"Again, this workaround is not available to Secure Cloud Messaging Gateway customers, is that correct?" --- Correct, other than you can request a certain IP be added to the 'skip conn. tests' list.

Hopefully I answered all your questions. Let me know if I missed any or if you have more.

0 Likes
Knowledge Partner
Knowledge Partner

Re: IP reputation tempfail

Jump to solution

@suziew wrote:

Sorry Kevin, I'm not very familiar with this board and missed your questions.

That's okay. We're all still learning our way around.



----- IP reputation temp fail is a graylist. It's a global list shared with everyone using it. 

The IP Reputation filter help, if I'm interpreting it correctly, is saying IP reputation will be checked if that filter is used and the whitelist part implies that, if an IP address appears in an IP address exception (for that filter), it won't be checked!

If this is not how it works, what use is the IP Reputation filter?

The way graylisting works is if an IP that isn't on their trusted list (what the help is referring to as a whitelist), it will temp fail it. The idea behind this is a normal server will retry and then get added to this trust list. Spammers most of the time won't retry.

I understand how graylisting works. Are you are implying that SMG will automatically add a server that retries to the trusted list? I try to learn about about such features by reading the documentation but I've obviously missed something. How does this work? Where is this trusted list?

You have answered my other questions, thank you.

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: IP reputation tempfail

Jump to solution

@KBOYLE wrote:


The IP Reputation filter help, if I'm interpreting it correctly, is saying IP reputation will be checked if that filter is used and the whitelist part implies that, if an IP address appears in an IP address exception (for that filter), it won't be checked!

If this is not how it works, what use is the IP Reputation filter?

IP address exceptions do work with the IP reputation filter. The whitelisting that it's referring to in the help only has to do with the graylisting, which can only happen on the connection drop level. This is not a list that each individual SMG server controls, it's part of the IP rep. service that SMG uses when doing IPrep. lookups.

The way graylisting works is if an IP that isn't on their trusted list (what the help is referring to as a whitelist), it will temp fail it. The idea behind this is a normal server will retry and then get added to this trust list. Spammers most of the time won't retry.

I understand how graylisting works. Are you are implying that SMG will automatically add a server that retries to the trusted list? Yes (although it's the IP rep service, not SMG itself. It also doesn't mean that this IP is whitelist from the IP reputation blacklist)  I try to learn about about such features by reading the documentation but I've obviously missed something. How does this work? Where is this trusted list? It's not on the SMG server, it's the IP reputation service that SMG uses. There's not a way to see the IP's on the trust list. But you can go here to check an IP against their list: https://www.cyren.com/security-center/cyren-ip-reputation-check

You have answered my other questions, thank you.


 

0 Likes
Knowledge Partner
Knowledge Partner

Re: IP reputation tempfail

Jump to solution

@suziew 

It's much clearer now, I think:

When the IP Reputation filter is used,

  1. if the IP address of the SMTP server attempting to connect is not listed in the IP Address exception,
    then SMG will consult the IP reputation service.
  2. if the IP address is not on the IP reputation service's trusted server list,
    then SMG will be notified and will temporarily drop the connection to the SMTP server attempting to deliver the email.
  3. if the server retries the connection,
    then SMG will notify the IP reputation service and the IP reputation service will whitelist that IP address so the next time the connection will not be dropped.

If #1 and #2 are correct, that is a much better explanation of how the IP Reputation filter works than the help button provides and it answers my question. 🙂

Based on your explanation, I assume #3 is true but there must also be a way to have the IP address removed from the trusted server list if things change.

When you said "It also doesn't mean that this IP is whitelist from the IP reputation blacklist", I'm not sure I follow that unless you mean another balcklist maintained by SMG.

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
JvdMeij Regular Contributor.
Regular Contributor.

Re: IP reputation tempfail

Jump to solution
Thank you! This clarifies the working and settings to make. Indeed (almost) all emails are coming from the same 4 IP's since they are my MX records.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.