Senderbase 2500% increase but can't find reflected in logs
Question asked by dave - August 21, 2015 at 7:47 PM
Hmmm.  Me be perplexed and need some other brain power.  We see occasional spikes in activity shown in senderbase for our mailserver (14.x).  Normally our mail server shows as 0.0 in email volume on Senderbase and this is expected given our low volume.  However, occasionally Senderbase will show a big increase like 2500%.
I have been pouring over the smartermail logs, event logs, and sysmon logs (we are tracking sent/received port 25 and 465) and I can't find anything to explain a 2500% increase.  Even wrote a utility to break the smarter mail smtp log apart by IP, AuthFailed, Greylisted, InboundMail, IPBlocks, NoSuchUser, OutboundMail, SpamBlocked, and Unknown (if it doesn't fit one of the others).  The log data simply doesn't reflect these Senderbase increases.
I could go into a bunch of areas explaining our setup at this point but regardless of that it would show in the logs, right?
I'd be glad to provide more information and would love some other brain power to help me understand why Senderbase and the logs could be so different.

3 Replies

Reply to Thread
Joe Wolf Replied
August 23, 2015 at 10:29 AM
Well it seems you've done your homework and it's probably a senderbase error.  The first thought that came to mind was some kind of virus or spyware on the server dumping out messages that SmarterMail wouldn't know about, but if sysmon shows that only SmarterMail is using port 25 then that's probably not the case unless someone has come up with a way to hide that activity.  
I'd mark it up to a senderbase issue.  It's also possible that some third party is spoofing your IP Address, but if they're doing that there's not much you can do about it.
Scarab Replied
August 24, 2015 at 10:10 AM
Senderbase conglomerates data from it's users/partners based upon headers for received emails. We have had an IP in one of our Class C CIDR ranges that is definitely not in use (for the past 5 or 6 years now...it was previously assigned to a co-lo server we hosted) show activity for 5 days every month for the past year and tore our hair out checking, double-checking, triple-checking every possibility. Turns out it is an IP that is being used by Spoofed Spam in forged headers. Since there is no rDNS for this IP most recipients should be rejecting it, so it doesn't hurt us any...but it did waste 40 or so hours of spare time trying to track it down on our side before we were confident it absolutely-positively wasn't actually coming from us.

Moral of the story: Senderbase isn't always accurate. I check our ranges weekly for any abnormalities, just to be sure, but if there is an abnormality and you can't find the source on your network and your bandwidth monitors aren't showing corresponding outbound activity, then don't lose any sleep over it.
Bruce Barnes Replied
August 24, 2015 at 1:40 PM
40+ hours is not "spare time!"
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread