ASA Botnet Blocking email

Unanswered Question
Aug 26th, 2010

I have a customer that has the botnet filter installed, they were having issues sending email to one of their partners, because the botnet filter was classifying this site as very high Malware.  I check senderbase and there reputation is good.  How do you check a domain on the Cisco Security Intelligence Operations site.  How do you report a miss classification of a domain.  How do you go about getting removed from the list.

Thank You

Patrick Weir

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Nishimura Thu, 08/26/2010 - 11:06

Hi Patrick,

you can check from within the ASA to see if its showing up in the DB or not.

You can use the following command:

dynamic-filter database find X

X= the site name

I would suggest doing both the host name and the IP.  this can determine if its a grey entry or not.
If you find an entry, its a blacklisted entry.  Grey entries are basically that the name was not
detected to have malicious sw but the ip that the name resolved to has a site that does.

Another check that can be done is:     x=url


If it does show up in the database as flagged then the immediate solution is to add the site to the white list.  The DB is maintained by ironport.
hope this helps a bit.


Scott Nishimura Thu, 08/26/2010 - 11:22

Hi Patrick,

just to further clarify, the db that the botnet uses is not one db but multiple ones including senderbase along with other DBs avail like and the one mentioned in my previous message.

The correct way to get around false positives would be to put the entry into the white list.  As for getting it removed, you would have to open up a tac case on that.  There is a reason for it being on the list if it is getting listed as black or grey.

Let us know what its showing on the various sites as well as what the find command is showing on your ASA.



Patrick Weir Thu, 08/26/2010 - 11:40

Scott thanks for the answer we did white list it, and that resolved the problem.  So when

a site gets listed in the blacklist is it per subnet, per domain, or per host.  An example this is an email server that is being hosted by a 3rd party, if this same 3rd party is hosting a webserver (that is sending malware) belonging to a differant company but in the same address space, would the whole subnet get blacklisted or just the one webserver.


Pat Weir

Scott Nishimura Thu, 08/26/2010 - 12:02

Hi Patrick,

Depending on the find command whether its showing black on the name or IP, it can determine if its a grey or black list.   Its possible that the same IP if the web server is hosting multiple sites, can be classified as malware and affect all of them.

It wouldnt really block based on the subnet, but more of the name and the ip associated with it.

what did the find command show for your particular site?


Patrick Weir Thu, 08/26/2010 - 12:04

it's a customer of mine I need him to run it.  I'll post what sends me

Patrick Weir Thu, 08/26/2010 - 12:30

ISC-ASA# dynamic-filter database find

Found 0 matches




is this because it's in the whitelist

Scott Nishimura Thu, 08/26/2010 - 12:54

hi Patrick,

no, the white list shouldnt matter on the db look up.  Can you resolve the IP to your site and then run the find command against the IP and let me know what it says.



Patrick Weir Thu, 08/26/2010 - 13:43

Scott I will not be able to get this today, but from the gui report this morning it looks like it resolved it just


It had (xx.xx.xx.xx) port 25 LOGGED 420 dropped 420 very high malware

Thanks again


Scott Nishimura Thu, 08/26/2010 - 15:05

Hi Patrick,

sounds good.. let me know the reporting based on the Ip with the find command.  its looking like maybe its grey listed.




This Discussion