Local ISPs passing IP address in headers blocked by PBL

Hey there, for the last month or so, i am seeing lots of mails blocked due to being on a PBL list. For instance this range is a telus range, but i have seen it with shaw as well.

 

https://www.spamhaus.org/pbl/query/PBL050380

 

The problem seems to be that the header contains an ip address that is on the PBL. I am not sure why this has recently become a problem but i would say over the last two months i have had about 10 different users complain. I can search for the mailserver IP address and they are not blacklisted, but in order to figure out whats going on, i searched for some other IP addresses and kept finding the private DSL or CABLE IP address showing up and then getting blocked by sophos. Examples:

 

 

 

So the problem is that the mail client is passing on this PBL range, in the header, and then sophos is acting on it. I need to prevent this happening by any means possible, short of whitelisting certain domains manually. In my opinion, i think many people would send emails from a home email address, so I can't imagine this filter ever being useful except to generate false positives. These address ranges already force you to use an ISP mailserver. They wont let you run a mail daemon on a home residential internet connection so its kind of a stupid rule as the home users would never be able to send spam out of it.

 

Anyone see anything similar? i see a post from 2015 but thats about it. It recommends that the people start authenticating using port 587 to get around it. But come on, am i supposed to tell joe random blow who emails us that its actually their problem and they have to reconfigure their own connection with their ISP? Well I have had that conversation actually, and it ends up with "well you guys are the only ones i have problems emailing so its obviously your fault"

 

if i figure out a work around i will post back. Hoping someone else has seen this, even better if its recent and someone can say wtf has changed, as 6 months ago it was not an issue. These are all being blocked by our XG firewall.

  •  Hi  

    Would you please let us know which particular product of Sophos you are using PureMessage for Unix?

    If yes, please also provide information on this like where you have applied PBL, what is the architecture of your organization, IP address which is blacklisted. It is necessary as you have mentioned that it is being blocked by your XG.

  • In reply to Jasmin:

    Its the XG firewall.

     

    The PBL is applied as part of spamhaus ZEN blocklist which is marked as a premium blocklist.

  • In reply to Jasmin:

    Ah this is my mistake. When i actually looked at the firewall logs, these were being blocked legitimately for being on a blacklist that was not the PBL.

    The problem was i was only looking at the headers, not the email log on the firewall which showed the real IP address. I am used to the ip address of the sending mailserver being in the headers, but i think telus does not send it that way.

     

    This is a non problem, they are being blocked legitimately in 3 out of 4 cases i have heard back from. The 4th case i am sure is the same, they just have not gotten back to me yet.

  • In reply to givemecontrol:

    Hi  

    Thank you for providing the details. You can post your queries related to XG firewall here