cancel
Showing results for 
Search instead for 
Did you mean: 
paf-skov
Level 7

Mxlogic still denies hours after Spamhaus has delisted

Jump to solution

Hi,

Even several hours after beeing de-listed at Spamhaus.org, we still get the error below when sending mails to several of our customers who seems to be using mxlogic.

When we click the Spamhaus link below, the ip address is shown as not listed, but it was blocked some hours ago due to a infected pc in our network.

But even Spamhaus has been showing "not listed" for hours, mxlogic is still blocking our mails.

What are McAfee doing to speed up the mxlogic de-listing process?

Regards,

Peter - www.skov.com

p01c12m006.mxlogic.net udløste denne fejl:
Denied [SHXBL] - Denied by Spamhaus XBL - See http://www.spamhaus.org/query/bl?ip=217.198.210.234 (Mode: normal)

0 Kudos
1 Solution

Accepted Solutions
cascadia
Level 12

Re: Mxlogic still denies hours after Spamhaus has delisted

Jump to solution

rnikolich,

The SaaS Product does have multiple layers of filtering. It generally flows in this pattern:

McAfee SaaS Firewall > Spamhaus RBLs > Global Rolling Block Lists and IP Reputation Blocks> Virus, Spam, Content, Etc. Filters

Or, in terms of time it takes to remove an entry:

24 hours > 24 hours > 2-4 hours (automatic listing/delisting based on traffic patterns) > Spam fingerprint entries vary greatly based on many factors and can take up to 24 hours

In many cases where the message is being denied by the McAfee SaaS Spam Filter level, issuing a "554 Denied" or "554 Denied [CS]", we can in many cases clear the fingerprint. This differs from Spamhaus though, which is largely outside of the control of McAfee. Listing and Delisting is managed by Spamhaus, and McAfee replicates their database on our system during low traffic periods to reduce customer impact from updating that large of a database. So, depending on how Spamhaus picked up the IP, it could be a server infection, configuration problem, or just poor sending practices. This is common practice, as polling Spamhaus databases for millions of messages a day is very resource intensive, not just to McAfee but Spamhaus as well.

Here are some KB articles that provide some additional information:

Bounce "554 Denied"

551 Mailhost is on our global blacklist error

Best Practices for Organizations Sending to McAfee SaaS Email Protection Customers

Hope this information helps clarify things.

Regards,

0 Kudos
3 Replies
cascadia
Level 12

Re: Mxlogic still denies hours after Spamhaus has delisted

Jump to solution

Greetings Peter,

The McAfee SaaS Email Protection uses a replicated copy of the Spamhaus database, so it is not real time. It updates once every 24 hours so the IP should be removed within about 24 hours of the removal on Spamhaus, depending on when the removal occured.

Regards,

0 Kudos
rnikolich
Level 7

Re: Mxlogic still denies hours after Spamhaus has delisted

Jump to solution

I think Peters question is can McAfee speed up that replication? 

From my own experiance as a customer on the reciepient side trying to receive email from clients who were blacklisted or even fingerprinted,  We've actually had to call & request the fingerprint to be reset or on occastion whitelist those domains manually.

 

What I did hear recently was that in the event it's truly blacklisted its sometimes not even making it to our filter but getting blocked before that, in which case your kind of "up a creek".  Thoughts on that Brad?  If that is true then others ( not just McAfee ) protected reciepients would be blocking that email.  Correct?

 

Maybe an explaination on how/where & who blocks blacklisted emails/domains/sender ip's if its not the reciepient email protection service/appliance or application.

0 Kudos
cascadia
Level 12

Re: Mxlogic still denies hours after Spamhaus has delisted

Jump to solution

rnikolich,

The SaaS Product does have multiple layers of filtering. It generally flows in this pattern:

McAfee SaaS Firewall > Spamhaus RBLs > Global Rolling Block Lists and IP Reputation Blocks> Virus, Spam, Content, Etc. Filters

Or, in terms of time it takes to remove an entry:

24 hours > 24 hours > 2-4 hours (automatic listing/delisting based on traffic patterns) > Spam fingerprint entries vary greatly based on many factors and can take up to 24 hours

In many cases where the message is being denied by the McAfee SaaS Spam Filter level, issuing a "554 Denied" or "554 Denied [CS]", we can in many cases clear the fingerprint. This differs from Spamhaus though, which is largely outside of the control of McAfee. Listing and Delisting is managed by Spamhaus, and McAfee replicates their database on our system during low traffic periods to reduce customer impact from updating that large of a database. So, depending on how Spamhaus picked up the IP, it could be a server infection, configuration problem, or just poor sending practices. This is common practice, as polling Spamhaus databases for millions of messages a day is very resource intensive, not just to McAfee but Spamhaus as well.

Here are some KB articles that provide some additional information:

Bounce "554 Denied"

551 Mailhost is on our global blacklist error

Best Practices for Organizations Sending to McAfee SaaS Email Protection Customers

Hope this information helps clarify things.

Regards,

0 Kudos