Announcement

Collapse
No announcement yet.

threat prevention blocking inbound email from gmail

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    threat prevention blocking inbound email from gmail

    yesterday I turned on Threat Prevention for the first time, with default setting, set to block only High Risk. this morning I discovered we aren't receiving ANY gmail, and people (including me) have missed critical messages. the moment I turned off Threat Prevention, we can receive gmail again.

    how can gmail be considered high risk?
    Tags: None
  • #2
    here's evidence of the crime. Threat Prevention report showing blocking of SMTP inbound from server 209.85.160.170:

    Click image for larger version Name: threatprevention.png Views: 0 Size: 55.4 KB ID: 396664

    Excerpt from mail server log showing that very same server, identified as a google mail server, delivering mail after Threat Prevention was turned off just after 10:00am:

    Code:
    10:05:44:266 FDD6 DMN: MSG 41952061 Accepted connection: [209.85.160.170] (mail-qt1-f170.google.com)
10:05:44:821 FDD6 DMN: MSG 41952061 SMTP upgraded to a secure connection.
10:05:44:972 FDD6 DMN: MSG 41952061 Receiving file: /media/nss/MAIL/domain/wpgate/gwia/receive/87189146.496
10:05:50:925 FD4D MSG 41952061 Processing inbound message: /media/nss/MAIL/domain/wpgate/gwia/receive/87189146.496
10:05:50:925 FD4D MSG 41952061 Sender: <redacted>
10:05:50:925 FD4D MSG 41952061 Recipient: <redacted>
10:05:50:928 FD4D MSG 41952061 Queuing to MTA
10:05:50:929 FD4D MSG 41952061 File: /media/nss/MAIL/domain/wpgate/gwia/wpcsin/4/4419817e.ls1 Message Id: (1587C79F.DE8:50:15848) Size: 10.8 Kb
10:06:18:414 FDD6 DMN: MSG 41952061 SMTP session ended: [209.85.160.170] (mail-qt1-f170.google.com)

    Comment

    • #3
      There's something screwy about the way Threat Management is interpreting the BrightCloud data. Consider IP 216.239.36.10, which is one of Google's name servers, ns3.google.com. If I ask Threat Management to look that up, I get:

      Server Reputation: High Risk (1 occurrences) - These are high risk IP addresses.​...
      Client Reputation: Low Risk (105 occurrences) - These are benign IPs​...

      (and yes, while I had Threat Management on, it blocked my DNS server from talking to this google name server on UDP port 53)

      Yet when I lookup the same IP at Brightcloud (http://brightcloud.com/tools/url-ip-lookup.php), it shows this IP address as "Benign". If I click for the content data it does show a 10 of 100 Web reputation score, apparently based on being unpopular and having 1 infection (whatever that may mean) in the past year.

      It just doesn't seem like Threat Prevention is interpreting the data correctly, when it blocks a legit name server IP which Brightcloud says is "Benign"
      • 👍 1

      Comment

      Previous template Next
      Working...
      X
      😀
      🥰
      🤢
      😎
      😡
      👍
      👎