False positive Mail bei RBL Service

I get some mail from a customer. and the sophos rbl marked it as spam. This customer has the problem with every receiptment that have a sophos firewall. I think he is blacklistet by sophos. what can we do delete him from the blacklist

  • Hi Tomas,

    I read from your request that you want to remove the customer's IP from Sophos's RBL blacklist. I'm not 100% sure, but I believe that Sophos is using the RBL lists from Cyren. Check the reputation of the customers IP on their site. Your customer or you, if you are allowed to speak on behalf of your customer, can report the customer's IP address as false\positive here. Cyren needs about 24-72 hours to update the list.

    You are also free to contact Sophos support if you are a Sophos customer and if the first step haven't brought you further or if you need further assistance.

    Good luck to you, stay healthy!

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • Hello Intrusus. 
    thanks for your answer. 
    Yes you understand it right. I have checked the IPs on the cyren website and all blacklists from mxtoolbox. But the IP is not listed on any blacklist. Is there a possibility to find the reason in any log file. Or is this a closed system from sophos ?

    I wish you the best and stay healty too. 

  • Hi Tomas,

    I found the RBL lists details, excuse my stupidity. Rolling eyes

    Go to PROTECT > Email > Address group:

    If you click on a entry, you can see all the lists that are used by all XGs per default, e.g. for the Standard RBL list:

    Try to do some research on the Databases of these vendors:

    Regarding the Logfile:

    Check the smtpd_main.log

    1. Login via SSH to a XG appliance where you wanna test it
    2. Goto option 5. Device Management > 3. Advanced Shell  
    3. Use tail -f /log/smtpd_main.log | grep <something you wanna search for, e.g. RBL or the mail address>

    You should see something like this:

    If this does not work / does not provide details try it in debug mode:

    1. Execute: service smtpd:debug -ds nosync
      Reply should be: 200 OK
    2. Now capture log entries using tail -f /log/smtpd_main.log | grep <search string>
    3. NOTE: Turn off the debug executing the same debug command from 1 again.

    Hope this helps!

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link