Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

What to do with lame .cn MTAs?

We need to receive mail from an unspecified and possibly quite wide range of Chinese IP addresses.

Judging by the domains I've been asked to check, our boxes are quite justified in dropping the connections. The MXs I'm tracing have all sorts of problems; missing or incorrect PTRs, Spamhaus PBL listings, and one is coming up as technically lame. These are of course just the receiving points; under the circumstances I strongly suspect the senders are using dynamic addresses. Yes, I realise that the next step is to try to establish as narrow a window for one of the dropped connections then wade through the connection log so I can confirm this suspicion.

My question to the group is discover what other IronPort customers do in these circumstances.

The sheer number of connections we receive generally mean we can't switch off reputation filtering; our boxes would collapse under the load. I can whitelist known problem ranges then depend on CASE and my content rules to hold the tsunami at bay, but my quarantines and off-box arrangements may well be overwhelmed even if the work queue doesn't over-extend as a result.

Is anyone aware of any general figures for (a) the size and range of addresses allocated to the PRC, and (b) the average volume of spam I might expect from that space?