Skip to content
Request Support
  • There are no suggestions because the search field is empty.

Threat Intelligence

This article examines the Threat Intelligence feature of MxToolbox's Delivery Center.

Threat Intelligence identifies threats to your mail delivery, whether that is because IPs for your mail system(s) have been identified as a threat or due to outside actors who are trying to send mail using your domain. MxToolbox uses a proprietary formula that combines external and internal methods to identify threats and judge their severity. An identified threat is then marked in your console.

If you have Delivery Center Premium, simply click here for your Threat Intelligence console.

If you want to upgrade, you can select the Threat Intelligence header noted below for more information.

threat_intelligence

The Two Types of Threats

IPs You Send Email From

The most critical problem you can have is to have your IPs show up as a threat. This might happen because something you have done, but it is more common if you use a system that has shared IPs or you get an IP that might have been used by someone else in the past. If you find your IPs listed as a threat, you should evaluate your mail system to ensure it is secure and not sending unwanted or unsolicited messages. There are questions you can ask and steps you can take to help you start the process of tracking down a problem of confirming your server is secure.

If it is a 3rd-party service such as Google GSuite, Office 365, or a mass mailer such as Mailgun, you can be reasonably confident that if you were sending spam, they would have stopped and alerted you.

If this is an internal system, you should check the following:

  1. How long have you had the IP(s)? New IPs might have leftover reputation problems. In many cases, time is the great healer, but if you have had the IPs for an extended period and they show up as a threat, there is likely something going on.
  2. You should also use our SMTP test tool to make sure your mail server is locked down and does not allow for relay.
  3. Most mail servers have an outgoing email log that should be your first stop. Run a search and if you see mail you do not recognize as legitimate, either your server has been compromised or you have a user with a compromised machine.
  4. Stop the problem. If you have a problem, it might be painful to shut down your email, but letting spam go out from your server is going to be more damaging in the long run. The effect to your reputation is much more difficult to clean up than dealing with irate people in the office. You can block port 25/465 (outbound) to stop outgoing email traffic, and most modern mail servers have a queuing mechanism that will send all of the messages when you re-enable it.
  5. Run your security software, such as virus scans. Not just on your server, but for your users. A compromised machine could be sending mail through an email client and the user would never know.
  6. It is possible that spam does not show up in your logs. You might want to run something like Wireshark or another packet analyzer to check port 25 traffic.
  7. Change everyone's password. There is a good chance someone is using a password of "password" or "12345".

Once you have resolved the problem or have identified that the IPs are considered a threat because of something that happened before you took control of them, you can start the cleanup process.

Outside Threats

These threats are not on your email system. Instead, they are other people who have set up an email server and tried to use your domain name. The threats MxToolbox identifies are systems that have been sending out spam, forging domain names, attempting to use malware, and other dangerous acts intended to defraud, steal, or wreak havoc on computer systems.

The actual servers are often out of reach and even if you report them, it is like playing whack-a-mole. That is why the technologies of DMARC, DKIM, and SPF are so important. Instead of trying to shut down all of the bad actors, you want to ensure that your email security options are enabled and operating properly. This is why we strongly suggest a 100% reject DMARC policy be adopted.

Threats, Forwarders, Verified, and Other

The page is separated into tabs for different types of analysis.

  • Threats shows everything we identified as a threat.
  • Forwarders are email systems that show as coming from your domain, but are not from your mail servers. This can happen when someone forwards your message.
  • Verified includes your Verified Sources, which you have identified as mail systems that send your email.
  • Other includes IPs that we are either missing some information on, are not sure if they forwarded the message, or anything that does not fall under the other three (3) categories.
  • All is a comprehensive list of every record found by MxToolbox for the above categories.

Use the provided text field to search/filter specific records while reviewing each tab.

The Data

You will see several columns here, with even more hidden by default. Clicking the eyeball icon next to an IP will show you all of the available data we gathered for it. You can see a great deal of information that would allow you to draw some conclusions about an IP and learn more about it.

For example, you could use the ASName to find out who owns the block of IPs to get an idea if it is yours. You can check the DKIM, SPF, and DMARC compliance levels of the IP and use that intel with the PTR record to get a pretty good idea of if the IP is yours and what system it belongs to.

Here is a list of all of the data fields we have for an IP address:

Threat Info

  • Is Threat
  • Date
  • Score
  • Volume
  • ThreatVolume
  • ThreatRate
  • PTR
  • BlacklistCount
  • BlacklistNames

Sender Info

  • IPAddress
  • ASName
  • ASNumber
  • FlagURL
  • Geo
  • OESPublicName
  • OESUnknown

DMARC Info

  • ComplianceRate
  • DMARCCompliant
  • DMARCNonCompliant
  • ForwarderRate
  • ForwarderVolume
  • PolicyOverrideType
  • PolicyOverrideComment

SPF Info

  • SPFPass
  • SPFFail
  • SPFPassRate
  • SPFAligned
  • SPFAlignedRate
  • PolicySPF
  • PolicySPFRate

DKIM Info

  • DKIMPass
  • DKIMFail
  • DKIMPassRate
  • DKIMAligned
  • DKIMAlignedRate
  • PolicyDKIM
  • PolicyDKIMRate

Other Info

  • VerifiedVolume
  • VerifiedRate
  • Unauthenticated
  • UnauthenticatedRate
  • UncategorizedVolume
  • UncategorizedVolumeRate
  • ReverseSPFCount
  • ReverseSPFTopDomain
  • ReverseSPFTopMechanismCount
  • ReverseSPFTopCIDR