We have a fair amount of email traffic. Recently, we had some suspicious email spoofing attacks and a lot of users reported that outgoing emails were marked as spam and landed in junk folder (reported by mail recipients). When we checked our mail reputation on talosintelligence.com, I found something interesting that I do not fully understand:
Another IP address is listed for our domain "mail-gw33.credit-suisse.com" which does not belong to us.
https://talosintelligence.com/reputation_center/lookup?search=mail-gw33.credit-suisse.com
In addition, I checked https://ipinfo.io/213.209.151.201 and it also points to our hostname.
I have following questions:
- What actually is the meaning of Hostname on talosintelligence.com? Does it mean the suspicious IP address 213.209.151.101 was reverse resolved by other mail relays/hosts? Or was it just sent as SMTP HELO?
- If the IP address 213.209.151.101 was reverse resolved to mail-gw33.credit-suisse.com: how is this even possible? What comes to my mind: DNS hijacking, DNS poisoning
- Does the number "LAST MONTH VOL." on talosintelligence.com mean that the amount of mails were sent successfully using the hostname mail-gw33.credit-suisse.com?
- Can our reputation suffer from hijacking mail-gw33.credit-suisse.com?
- How can we mitigate this in future (e.g. use of DNSSEC for credit-suisse.com)?