Email Security.cloud

Good morning,

Our corporate email server (IP 95.141.47.150) is being blocked by your network. Going to http://ipremoval.sms.symantec.com/lookup/ helps just for some days and then it's blocked again. The server is clean, clients are AV protected, domains hosted are provided with SPF in dns to legitimate relays. Can you help me find out which is the root cause? 

thank you,

best regards,

Michele Baresi

Hi Michele

I can see the IP is again listed. I think the best way to progress is one of the following 2 ways.

You can leverage your relationship with one of our customer and advise them to raise a case with our support through their designated contact. Alternatively, you can follow the below.

A legitimate email which has been incorrectly given a verdict of spam can be submitted to Symantec for analysis and filter review. 

To analyze a false positive sample, Symantec must receive the original false positive email:

• As an "message/rfc822" email attachment*
• One email attachment per submission**

Send the false positive sample as an email attachment to the following address:

CLOUDfeedback@feedback-87.brightmail.com

Keep in mind we need the original mail, not the bounce back you received in return.

Regards,

Ian Tiller

Tier 2 Senior Technical Support Engineer

Hi Ian,

Thanks for your kindly answer.

You wrote: "A legitimate email which has been incorrectly given a verdict of spam can be submitted to Symantec for analysis and filter review.". Are you saying that your system works on a per-message basis or IP-address-basis? If it's on IP basis I don't know which message I could send to you for analisys because I don't know which one triggered your systems to think the whole mail-server sending spam. Our servers hosts a dozen domains for which we're totally responsible and which are not open anyway to public SMTP relay. 

Do your system gives a verdict of spam based on a sender domain basis or based on mail content? Is it going to be better if we deploy DKIM to further strength our sender domain identification? (we actually have SPF on all domains).

Could you please give me more advice for strenghening our server reputation on your anti-spam systems?

Thanks you so much,

best regards,

Michele Baresi

Hi Michele

Apologies for the delay in responding to you.

As it's your IP that is the cause of the issue here you can submit pretty much any email that would have come from that IP for us to investigate, ideally submit a few examples. Once you've done that let me know the address they were submitted from and the date and I can look into them for you.

In regards to strengthening your reputation SPF (which you advised you already have, DKIM and DMARC I think will all likely help with this and help protect you from any spoofs.

Kind regrds

Ian Tiller

Tier 2 Senior Technical Support Engineer

Hi Ian,

I just sent some message to CLOUDfeedback@feedback-87.brightmail.com for false positive inspection. You can find them as sender it's my email address: michele dot baresi at rifnet dot it

Thanks,

best regards,

Michele

Hi Michele

I've had the team look at it and they've cleared this IP now so you should see no further issue with this.

Can you check and confirm, and if happy mark this thread as resolved?

Thanks

Ian Tiller

Tier 2 Senior Technical Support Engineer

Hi Ian,

Thanks so much, I will check and report back to you.

Can you give me some hints at what the root cause was like? 

Regards,

Michele Baresi

Hi Michib

I'm not able to elaborate on the root cause as no information was provided other than to say this was a false positive based on the IP address. It may be that we saw some potentially suspicious activity from it in the past.

If this has now resolved your issue can I ask you to mark this thread as resolved. 

Thanks

Ian Tiller

Tier 2 Senior Technical Support Engineer