Managing IP Reputation

  • 7024849
  • 01-Oct-2020
  • 21-Oct-2020

Environment

GWAVA (Secure Messaging Gateway)
SLES appliance

Situation

Getting IP reputation false positives, some are temp failures and some are blocked. How does it work and how can it be managed?

Resolution

SMG on SLES uses a different IP reputation service, than SMG on Ubuntu and GWAVA 6.5. The previous service used IP rep. temp fail as a type of grey listing. The current service does not.

When an IP is scanned, it receives a reputation score.  To find the score for each IP, it can be found in the smg-smtp log (for connection drop scanning) and in the smg-scanner log for policy scanning.

Log example:

[140054362048256] 2020-10-07 00:10:58 (IPRP)<321927> IP address x.x.x.x delayed by IP reputation test with score of 500 (min 500)
[140054362048256] 2020-10-07 00:10:58 (IPRP)<321927> IP reputation located entry for address: x.x.x.x
[140054362048256] 2020-10-07 00:10:58 (SMTP)<321927> Connection will be dropped
[140054362048256] 2020-10-07 00:10:58 (SMTP)<321927> [g->c] 554 IP address x.x.x.x rejected [IP reputation tempfail]

The slider is broken into 3 parts to allow the floor of the detection range to be lifted above 500 if required. The slider bar, located in the IP reputation settings can be adjusted to Allow, Delay, or Reject IP's based on their score. The default settings are 0% Allow, 20% Delay, and 80% Reject.

The default setting is to treat everything in the 500-600 point range (20% of the slider) with a tempfail, and all above 600 with hard fail. If changes need to be made, here is a helpful chart to determine the best percentage to be used based on what scores need to be Allowed, Delayed, or Rejected:

Scores below 500 are automatically Allowed, so this slider bar starts with a score of 500. Simply subtract 500 to interpret in a range from 0-500, then divide by 5 it gives the percentages:


Real score
Normalized Score (-500)
Percentage (div 5)
Allow
0-750
0-250
0-50%
Delay
751-800
251-300
50-60%
Reject
801-1000
301-500
60-100%

For example, if this needs to be changed to Allow anything lower than 750, Delay between 751 - 800 and Reject 800 - 1000, then set it like this:


IP reputation can be enabled in two separate locations. It's not necessary to have both enabled. If whitelisting by the domain is needed, it is recommended to use it on the policy level only.


1) Organization / Policy Management | Policy scan configuration | Inbound Mail Filter Policy (or the name of the policy that handles inbound email).

Note: It's recommended to link it with the Spam Filter Group, that way if there is a current whitelist linked there, domains can be added to this list easily. If a separate whitelist is needed to only apply to IP reputation, than do not add it to the Spam Filter Group.


2) Module Management | Interfaces | SMTP Interface Manager | SMTP Interface | Connection Drop services:

If whitelisting is needed, here are a couple of options:

Status

Top Issue

Feedback service temporarily unavailable. For content questions or problems, please contact Support.