3 Replies Latest reply: Dec 11, 2012 10:40 AM by Brad McGarr RSS

    Mxlogic still denies hours after Spamhaus has delisted




      Even several hours after beeing de-listed at Spamhaus.org, we still get the error below when sending mails to several of our customers who seems to be using mxlogic.

      When we click the Spamhaus link below, the ip address is shown as not listed, but it was blocked some hours ago due to a infected pc in our network.

      But even Spamhaus has been showing "not listed" for hours, mxlogic is still blocking our mails.

      What are McAfee doing to speed up the mxlogic de-listing process?



      Peter - www.skov.com


      p01c12m006.mxlogic.net udløste denne fejl:
      Denied [SHXBL] - Denied by Spamhaus XBL - See http://www.spamhaus.org/query/bl?ip= (Mode: normal)

        • 1. Re: Mxlogic still denies hours after Spamhaus has delisted
          Brad McGarr

          Greetings Peter,


          The McAfee SaaS Email Protection uses a replicated copy of the Spamhaus database, so it is not real time. It updates once every 24 hours so the IP should be removed within about 24 hours of the removal on Spamhaus, depending on when the removal occured.



          • 2. Re: Mxlogic still denies hours after Spamhaus has delisted

            I think Peters question is can McAfee speed up that replication? 


            From my own experiance as a customer on the reciepient side trying to receive email from clients who were blacklisted or even fingerprinted,  We've actually had to call & request the fingerprint to be reset or on occastion whitelist those domains manually.


            What I did hear recently was that in the event it's truly blacklisted its sometimes not even making it to our filter but getting blocked before that, in which case your kind of "up a creek".  Thoughts on that Brad?  If that is true then others ( not just McAfee ) protected reciepients would be blocking that email.  Correct?


            Maybe an explaination on how/where & who blocks blacklisted emails/domains/sender ip's if its not the reciepient email protection service/appliance or application.

            • 3. Re: Mxlogic still denies hours after Spamhaus has delisted
              Brad McGarr



              The SaaS Product does have multiple layers of filtering. It generally flows in this pattern:


              McAfee SaaS Firewall > Spamhaus RBLs > Global Rolling Block Lists and IP Reputation Blocks> Virus, Spam, Content, Etc. Filters


              Or, in terms of time it takes to remove an entry:


              24 hours > 24 hours > 2-4 hours (automatic listing/delisting based on traffic patterns) > Spam fingerprint entries vary greatly based on many factors and can take up to 24 hours


              In many cases where the message is being denied by the McAfee SaaS Spam Filter level, issuing a "554 Denied" or "554 Denied [CS]", we can in many cases clear the fingerprint. This differs from Spamhaus though, which is largely outside of the control of McAfee. Listing and Delisting is managed by Spamhaus, and McAfee replicates their database on our system during low traffic periods to reduce customer impact from updating that large of a database. So, depending on how Spamhaus picked up the IP, it could be a server infection, configuration problem, or just poor sending practices. This is common practice, as polling Spamhaus databases for millions of messages a day is very resource intensive, not just to McAfee but Spamhaus as well.


              Here are some KB articles that provide some additional information:


              Bounce "554 Denied"

              551 Mailhost is on our global blacklist error

              Best Practices for Organizations Sending to McAfee SaaS Email Protection Customers


              Hope this information helps clarify things.