0

We have a fair amount of email traffic. Recently, we had some suspicious email spoofing attacks and a lot of users reported that outgoing emails were marked as spam and landed in junk folder (reported by mail recipients). When we checked our mail reputation on talosintelligence.com, I found something interesting that I do not fully understand:

Another IP address is listed for our domain "mail-gw33.credit-suisse.com" which does not belong to us.

https://talosintelligence.com/reputation_center/lookup?search=mail-gw33.credit-suisse.com

In addition, I checked https://ipinfo.io/213.209.151.201 and it also points to our hostname.

I have following questions:

  • What actually is the meaning of Hostname on talosintelligence.com? Does it mean the suspicious IP address 213.209.151.101 was reverse resolved by other mail relays/hosts? Or was it just sent as SMTP HELO?
  • If the IP address 213.209.151.101 was reverse resolved to mail-gw33.credit-suisse.com: how is this even possible? What comes to my mind: DNS hijacking, DNS poisoning
  • Does the number "LAST MONTH VOL." on talosintelligence.com mean that the amount of mails were sent successfully using the hostname mail-gw33.credit-suisse.com?
  • Can our reputation suffer from hijacking mail-gw33.credit-suisse.com?
  • How can we mitigate this in future (e.g. use of DNSSEC for credit-suisse.com)?

enter image description here

Improve this question
1
  • "If the IP address 213.209.151.101 was reverse resolved to mail-gw33.credit-suisse.com: how is this even possible?" - reverse DNS is just setting up a PTR record by the owner of the IP address. Anything can be claimed here, no IP spoofing, DNS hijacking or DNS poisoning needed.
    – Steffen Ullrich
    Commented Mar 25, 2022 at 19:54

1 Answer 1

Reset to default
0

This would be from the HELO (or EHLO) string used to identify the sending mail server during the SMTP handshake. It's a decently free-form field and is not really vetted, which is why FCrDNS is used, but even that isn't a stellar signal.

As a solution, SPF provides a mechanism to note authorization and DMARC allows specifying a policy to block forgeries. Still, few people bother to configure SPF for their HELO checks, and DMARC far more commonly passes with DKIM and/or SPF's mail from check.

The poor reputation of the IP spoofing your domain shouldn't reflect on your IP, though setting up DMARC will make your domain's own reputation more robust against spoofing.

In addition, I checked https://ipinfo.io/213.209.151.201 and it also points to our hostname.

This is presumably populated by passive DNS (searchable DNS resolver logs), though my own pDNS view doesn't show this association. The IP in question does not have a PTR record (which is what populates rDNS) and the hostname in question resolves solely to your own IP (thus the mismatch).

Disclaimer: I am not representing Cisco Talos, who happens to be my employer.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .