No announcement yet.

threat prevention blocking inbound email from gmail

  • Filter
  • Time
  • Show
Clear All
new posts

  • threat prevention blocking inbound email from gmail

    yesterday I turned on Threat Prevention for the first time, with default setting, set to block only High Risk. this morning I discovered we aren't receiving ANY gmail, and people (including me) have missed critical messages. the moment I turned off Threat Prevention, we can receive gmail again.

    how can gmail be considered high risk?

  • #2
    here's evidence of the crime. Threat Prevention report showing blocking of SMTP inbound from server

    Click image for larger version  Name:	threatprevention.png Views:	0 Size:	55.4 KB ID:	396664

    Excerpt from mail server log showing that very same server, identified as a google mail server, delivering mail after Threat Prevention was turned off just after 10:00am:

    10:05:44:266 FDD6 DMN: MSG 41952061 Accepted connection: [] (
    10:05:44:821 FDD6 DMN: MSG 41952061 SMTP upgraded to a secure connection.
    10:05:44:972 FDD6 DMN: MSG 41952061 Receiving file: /media/nss/MAIL/domain/wpgate/gwia/receive/87189146.496
    10:05:50:925 FD4D MSG 41952061 Processing inbound message: /media/nss/MAIL/domain/wpgate/gwia/receive/87189146.496
    10:05:50:925 FD4D MSG 41952061 Sender: <redacted>
    10:05:50:925 FD4D MSG 41952061 Recipient: <redacted>
    10:05:50:928 FD4D MSG 41952061 Queuing to MTA
    10:05:50:929 FD4D MSG 41952061 File: /media/nss/MAIL/domain/wpgate/gwia/wpcsin/4/4419817e.ls1 Message Id: (1587C79F.DE8:50:15848) Size: 10.8 Kb
    10:06:18:414 FDD6 DMN: MSG 41952061 SMTP session ended: [] (


    • #3
      There's something screwy about the way Threat Management is interpreting the BrightCloud data. Consider IP, which is one of Google's name servers, If I ask Threat Management to look that up, I get:

      Server Reputation: High Risk (1 occurrences) - These are high risk IP addresses.​...
      Client Reputation: Low Risk (105 occurrences) - These are benign IPs​...

      (and yes, while I had Threat Management on, it blocked my DNS server from talking to this google name server on UDP port 53)

      Yet when I lookup the same IP at Brightcloud (, it shows this IP address as "Benign". If I click for the content data it does show a 10 of 100 Web reputation score, apparently based on being unpopular and having 1 infection (whatever that may mean) in the past year.

      It just doesn't seem like Threat Prevention is interpreting the data correctly, when it blocks a legit name server IP which Brightcloud says is "Benign"