How to block spam with subject "Here you have"?

Unanswered Question
Sep 9th, 2010

Hello,
 
 
  Cisco IronPort has identified a SPAM Outbreak with Subject "Here you have" and has published IronPort AntiSpam rules to protect from these messages.
 
If you notice the messages bypassing your Email Security Appliance, please verify that these messages are being scanned by IronPort AntiSpam via Message Tracking or Mail logs.
 
If these messages are not being scanned by IronPort AntiSpam due to Whitelisting or Policy exceptions, you can create an incoming content filter to catch these messages.
 
For additional information, please refer the KB article # 1629 below.
 
http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1629&p_created=1284070094&p_sid=dZEAvC9k&p_accessibility=0&p_redirect=&p_srch=1&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MSwxJnBfcHJvZHM9MCZwX2NhdHM9MCZwX3B2PSZwX2N2PSZwX3NlYXJjaF90eXBlPWFuc3dlcnMuc2VhcmNoX25sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9MTYyOQ!!&p_li=&p_topview=1
 
Please feel free to contact Cisco IronPort Customer Support if you need additional assistance.
 
Best Regards,
Cisco IronPort Customer Support

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
efoster Thu, 09/09/2010 - 16:05

Cisco IronPort is updating our VOF filters right now

to catch and prevent the virus

worm called WORM_MEYLME.B. An announcement on the VOF updates will be made shortly.

efoster Thu, 09/09/2010 - 17:12

Cisco IronPort IDE numbers above 2010090905 include the Sophos IDE fix for this virus.  Below are the release details you can run 'antivirusstatus detail' to check for this IDE.  example:


test.run> antivirusstatus detail


Sophos Anti-Virus:


   Product - 4.56
   Engine - 3.10.0
   Product Date - 02 Aug 2010


Sophos IDEs currently on the system:


   'Fake-Bsk.Ide'         Virus Sig. - 10 Sep 2010 00:06:54
   'Auto-Bho.Ide'         Virus Sig. - 09 Sep 2010 20:20:28

topendz998 Fri, 09/10/2010 - 05:11

Actually my finding show Sophos on Ironport is not capturing these viruses. CASE is but not Sophos. CASE isn't active on our outbound email and I see instances of these being missed.

jaigill Fri, 09/10/2010 - 12:09

Simon,


Thanks for the feedback.


Can you check the following on your ESA:

1. Your AV engine has the IDEs which were published to block these messages

2. The messages were indeed scanned by Sophos


Assuming both of the above are true, I would recommend that you open a case with Cisco Ironport Customer Support and submit samples that were not caught by Sophos. We would like to take a look at the samples and determine why they were not caught by your ESA.


Thanks!

Actions

This Discussion