cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1221
Views
0
Helpful
10
Replies

ASA Botnet Blocking email

Patrick Weir
Level 1
Level 1

I have a customer that has the botnet filter installed, they were having issues sending email to one of their partners, because the botnet filter was classifying this site as very high Malware.  I check senderbase and there reputation is good.  How do you check a domain on the Cisco Security Intelligence Operations site.  How do you report a miss classification of a domain.  How do you go about getting removed from the list.

Thank You

Patrick Weir

10 Replies 10

Scott Nishimura
Cisco Employee
Cisco Employee

Hi Patrick,


you can check from within the ASA to see if its showing up in the DB or not.


You can use the following command:


dynamic-filter database find X

X= the site name

I would suggest doing both the host name and the IP.  this can determine if its a grey entry or not.
If you find an entry, its a blacklisted entry.  Grey entries are basically that the name was not
detected to have malicious sw but the ip that the name resolved to has a site that does.


Another check that can be done is:


http://www.siteadvisor.com/sites/X     x=url

example:

http://www.siteadvisor.com/sites/yahoo.com

If it does show up in the database as flagged then the immediate solution is to add the site to the white list.  The DB is maintained by ironport.
hope this helps a bit.

-scott

Hi Patrick,

just to further clarify, the db that the botnet uses is not one db but multiple ones including senderbase along with other DBs avail like http://www.threatexpert.com/ and the one mentioned in my previous message.

The correct way to get around false positives would be to put the entry into the white list.  As for getting it removed, you would have to open up a tac case on that.  There is a reason for it being on the list if it is getting listed as black or grey.

Let us know what its showing on the various sites as well as what the find command is showing on your ASA.

thanks,

scott

Scott thanks for the answer we did white list it, and that resolved the problem.  So when

a site gets listed in the blacklist is it per subnet, per domain, or per host.  An example this is an email server that is being hosted by a 3rd party, if this same 3rd party is hosting a webserver (that is sending malware) belonging to a differant company but in the same address space, would the whole subnet get blacklisted or just the one webserver.

Thanks

Pat Weir

Hi Patrick,

Depending on the find command whether its showing black on the name or IP, it can determine if its a grey or black list.   Its possible that the same IP if the web server is hosting multiple sites, can be classified as malware and affect all of them.

It wouldnt really block based on the subnet, but more of the name and the ip associated with it.

what did the find command show for your particular site?

-scott

it's a customer of mine I need him to run it.  I'll post what sends me

ran the site through siteadvisor and it came back good.

ISC-ASA# dynamic-filter database find ironmail..com

Found 0 matches

ISC-ASA#

ISC-ASA#

ISC-ASA#

is this because it's in the whitelist

hi Patrick,

no, the white list shouldnt matter on the db look up.  Can you resolve the IP to your site and then run the find command against the IP and let me know what it says.

regards,

scott

Scott I will not be able to get this today, but from the gui report this morning it looks like it resolved it just

fine.

It had

ironmail..com (xx.xx.xx.xx) port 25 LOGGED 420 dropped 420 very high malware

Thanks again

Pat

Hi Patrick,

sounds good.. let me know the reporting based on the Ip with the find command.  its looking like maybe its grey listed.

thanks,

scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: