Summary
Unfamiliar IP addresses in PMT can stem from various sources: unauthorized SaaS usage, internal mail server changes, SES instances, infrastructure/reputation problems, blacklisting, Cloudflare's reverse proxy, AWS/Azure/Google services, VPN/proxy usage, network intrusions, misconfigurations, malware, or unauthorized devices. Investigation involves checking DMARC reports, reputation tools, DNS records, blacklist listings, service-specific logs (CloudTrail, Activity Logs, audit logs), WHOIS data, threat intelligence databases, and firewall/router logs.
Key findings
- SaaS/Internal Changes: SaaS authentication, mail server changes, SES instances introduce unfamiliar IPs.
- Infrastructure/Reputation: Unfamiliar IPs can signal infrastructure problems and affect deliverability.
- Blacklisting: Mail servers listed on blocklists due to malware/spamming lead to unfamiliar IPs.
- Cloud Services: Cloudflare proxy masks IPs; AWS/Azure/Google services introduce their own IPs.
- Network Issues: Intrusions, misconfigurations, malware, piggybacking can cause unfamiliar IPs.
Key considerations
- DMARC & Reputation: Check DMARC reports and use reputation tools to identify email abuse.
- DNS & Blacklists: Verify DNS records and monitor blacklists for potential delivery issues.
- Service Logs: Check AWS CloudTrail, Azure Activity Logs, and Google Workspace audit logs.
- Security Measures: Run anti-malware scans, change passwords, enable 2FA, and update security settings.
- Network Monitoring: Use NetFlow, check firewall/router logs, and implement intrusion detection systems.
What email marketers say
9 marketer opinions
Unfamiliar IP addresses appearing in PMT (potentially referring to a platform monitoring tool) can stem from various sources, ranging from legitimate network configurations to malicious activities. These include shared hosting or CDN usage, cloud services and third-party applications, forgotten SMTP connectors, misconfigured or compromised networks, and even unauthorized access. Investigation typically involves identifying the IP's owner, checking their reputation against threat intelligence databases, analyzing network traffic, and reviewing security configurations.
Key opinions
- Legitimate Sources: Unfamiliar IPs can arise from shared hosting, CDNs, cloud services, authorized third-party applications, or changes in internal mail server configurations. These scenarios necessitate verifying the IP's legitimacy and authorization.
- Network Issues: They may signify network intrusion, misconfiguration, malware infections, unauthorized devices, or neighbors piggybacking on a Wi-Fi network. Thorough scans, password changes, and updated security settings are crucial.
- PMT Inaccuracies: It's possible PMT is providing incorrect data. A forgotten SMTP connector suddenly reaching a reporting threshold could also trigger the appearance of unusual IPs.
- Potential Attacks: The IPs could be associated with domains registered using privacy services, and forward/reverse DNS lookups may not match, indicating potential spoofing or attacks against customers.
- DNS and WHOIS: DNS lookups, reverse DNS lookups, and WHOIS data are vital for identifying the IP owner, geographical location, and purpose.
Key considerations
- Verification Tools: Employ `whois` lookups, reverse DNS lookups, and DNS investigation tools to determine ownership and legitimacy.
- Security Measures: Run system scans with antivirus software, change passwords, enable two-factor authentication, update network security, and consider network segmentation and intrusion detection systems.
- Log Analysis: Check firewall logs, router logs, CloudTrail logs (AWS), Azure Activity Logs (Microsoft), and Google Workspace audit logs for unusual activity and unauthorized access.
- Reputation Checks: Check the IP reputation against threat intelligence databases and blacklist monitors to identify known malicious activity.
- Network Monitoring: Implement network monitoring tools to track traffic patterns and identify anomalies.
- DMARC Reports: Ensure access to DMARC reports to detect potential email spoofing or phishing attacks.
Marketer view
Email marketer from Reddit suggests unfamiliar IP addresses might indicate unauthorized access or a compromised network. The first step is to run a full system scan with updated antivirus software, followed by changing all passwords and enabling two-factor authentication where possible. It's also crucial to monitor network traffic for any unusual activity and consult with a network security professional if the issue persists. [https://www.reddit.com/r/techsupport/comments/17hxdsd/strange_ip_address_on_my_network/]
19 Jan 2025 - Reddit
Marketer view
Email marketer from Cybersecurity Forum responds that detecting unfamiliar IP addresses in network logs requires a comprehensive investigation. Initial steps involve checking the IP's reputation against threat intelligence databases to identify any known malicious activity. Implementing network monitoring tools to track traffic patterns and detect anomalies can help reveal if the IP is part of a larger attack. [https://cybersecurity.stackexchange.com/questions/5432/how-to-determine-if-an-unknown-ip-address-is-malicious]
20 Jul 2021 - Cybersecurity Forum
What the experts say
3 expert opinions
Unfamiliar IP addresses appearing in PMT may indicate various issues, including unauthorized SaaS usage, internal mail server changes, use of SES instances, problems with email infrastructure or sender reputation, or blacklisting of mail servers. Investigation steps include checking DMARC reports, sender reputation tools (like Sender Score and Google Postmaster Tools), verifying DNS records (SPF, DKIM, DMARC), identifying blacklist listings, contacting security/abuse teams, and reviewing sending practices.
Key opinions
- Unauthorized Usage: SaaS products using the same domain, SES instances spun up without authorization, or internal mail server movements can lead to unexpected IPs.
- Reputation Issues: Unfamiliar IPs may signify problems with email infrastructure or sender reputation, leading to deliverability issues.
- Blacklisting: Mail servers being listed on blocklists due to various issues (malware, spam) can cause unfamiliar IPs to appear.
- Snowshoe Spam: A high number of IPs could suggest a snowshoe spamming technique being used against you.
Key considerations
- DMARC Reports: Regularly check DMARC reports for signs of domain abuse and unauthorized sending.
- Sender Reputation: Monitor sender reputation using tools like Sender Score and Google Postmaster Tools to identify deliverability problems.
- DNS Verification: Verify DNS records (SPF, DKIM, DMARC) are correctly configured to authenticate your email.
- Blacklist Monitoring: Use multi-RBL lookup tools to identify if your IPs are listed on any blacklists.
- Security Consultation: Contact security and abuse teams to investigate traffic patterns and potential security breaches.
- Sending Practices: Review your sending practices to identify potential causes of reputation damage and implement preventative measures like rate limiting and outbound filtering.
Expert view
Expert from Email Geeks suggests that someone in the company might be using a SaaS product and authenticating with the same domain, or that the company moved internal mail servers. They also guess that someone might have spun up an SES instance for some emails. They advise checking DMARC reports and contacting security to check traffic out of those IPs. Laura believes it looks like snowshoe domains, and to call security and talk to the abuse team who have more tools.
19 Apr 2024 - Email Geeks
Expert view
Expert from Spam Resource shares that unfamiliar IP addresses could be appearing due to your mail server being listed on a blocklist. Initial steps involve identifying which blacklists the IPs are listed on using multi-RBL lookup tools. Review the blacklist's policies for delisting instructions, and address the underlying issues that caused the listing, such as malware infections or spamming activity. Implement preventative measures, like rate limiting and outbound filtering, to avoid future listings. [https://www.spamresource.com/2010/05/how-to-get-off-email-blacklist.html]
8 Jul 2021 - Spam Resource
What the documentation says
5 technical articles
Unfamiliar IP addresses appearing in PMT can be attributed to various factors, particularly the use of cloud services, VPNs, or reverse proxies. Cloudflare's reverse proxy can mask visitor IPs, while AWS and Azure services may introduce unfamiliar IPs due to resources within their respective infrastructures. Google Workspace users accessing services through VPNs or proxies can also cause this. Investigating involves checking service-specific logs (Cloudflare IP Geolocation, AWS CloudTrail, Azure Activity Logs, Google Workspace audit logs) and monitoring network traffic using tools like NetFlow (Cisco), as well as implementing security policies and access controls.
Key findings
- Cloudflare Proxying: Cloudflare's reverse proxy replaces visitor IPs with Cloudflare IPs. Original IPs must be restored using IP Geolocation features.
- AWS Services: Use of AWS services and resources introduces AWS IPs. Check AWS CloudTrail logs for service associations and unauthorized API calls.
- Azure Services: Use of Azure services and resources introduces Azure IPs. Review Azure Activity Logs and ensure Network Security Groups (NSGs) are properly configured.
- VPN/Proxy Usage: Users accessing Google Workspace through VPNs or proxies will show VPN/proxy IPs. Check Google Workspace audit logs for user associations.
- Network Monitoring: Tools like NetFlow can help identify unfamiliar IP addresses and their communication patterns within a network.
Key considerations
- Cloudflare IP Restoration: Implement Cloudflare's IP Geolocation or similar methods to log the original visitor IPs.
- AWS Log Analysis: Regularly audit AWS resources and IAM policies and check AWS CloudTrail logs for any unauthorized activity.
- Azure Log Analysis: Review Azure Activity Logs to identify the resources associated with unfamiliar IPs and any suspicious activities. Configure NSGs to restrict unauthorized access.
- Google Workspace Auditing: Check Google Workspace audit logs to see which users are associated with the IPs and whether there have been any unusual login attempts. Implement multi-factor authentication and IP whitelisting.
- Network Security: Implement security policies, access control lists (ACLs), and regularly update firmware on network devices to patch vulnerabilities.
Technical article
Documentation from Cloudflare Support explains that unfamiliar IP addresses in logs can result from Cloudflare's reverse proxy. Since Cloudflare acts as an intermediary, the origin server will see Cloudflare's IPs instead of the actual visitor IPs. To see the original visitor IPs, you need to implement Cloudflare's IP Geolocation or similar methods. [https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-logging-visitor-IP-addresses]
29 Dec 2024 - Cloudflare
Technical article
Documentation from Microsoft Azure Documentation says unfamiliar IP addresses may be due to Azure services or resources being used. Review Azure Activity Logs to identify which resources are associated with these IPs and if there are any suspicious activities. Ensure that Network Security Groups (NSGs) are properly configured to restrict unauthorized access. [https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log]
1 May 2024 - Microsoft Azure
