How to block spam with subject "Here you have"?

efoster · ‎09-09-2010

Hello,

Cisco IronPort has identified a SPAM Outbreak with Subject "Here you have" and has published IronPort AntiSpam rules to protect from these messages.

If you notice the messages bypassing your Email Security Appliance, please verify that these messages are being scanned by IronPort AntiSpam via Message Tracking or Mail logs.

If these messages are not being scanned by IronPort AntiSpam due to Whitelisting or Policy exceptions, you can create an incoming content filter to catch these messages.

For additional information, please refer the KB article # 1629 below.

http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1629&p_created=1284070094&p_sid=dZEAvC9k&p_accessibility=0&p_redirect=&p_srch=1&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MSwxJnBfcHJvZHM9MCZw...!!&p_li=&p_topview=1

Please feel free to contact Cisco IronPort Customer Support if you need additional assistance.

Best Regards,
Cisco IronPort Customer Support

efoster · ‎09-09-2010

Hello,

McAfee is also reporting this SPAM attack and has just posted an announcement regarding their work around to https://kc.mcafee.com/corporate/index?page=content&id=KB69857 . Cisco IronPort Email Security Appliance customers using McAfee and/or IPAS should now be catching this SPAM.

efoster · ‎09-09-2010

Trend Micro has just reported a similar issue at http://blog.trendmicro.com/old-malware-out-of-its-shell/

efoster · ‎09-09-2010

Cisco IronPort is updating our VOF filters right now

to catch and prevent the virus

worm called WORM_MEYLME.B. An announcement on the VOF updates will be made shortly.

efoster · ‎09-09-2010

Sophos has addressed this issue and is able to filter SPAM based on

the virus link. Sophose IDE details are available at

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunbho.html

topendz998 · ‎09-09-2010

How do I confirm which IDE is blocking this on Ironport?

efoster · ‎09-09-2010

Cisco IronPort IDE numbers above 2010090905 include the Sophos IDE fix for this virus. Below are the release details you can run 'antivirusstatus detail' to check for this IDE. example:

test.run> antivirusstatus detail

Sophos Anti-Virus:

   Product - 4.56
   Engine - 3.10.0
   Product Date - 02 Aug 2010

Sophos IDEs currently on the system:

'Fake-Bsk.Ide' Virus Sig. - 10 Sep 2010 00:06:54
'Auto-Bho.Ide' Virus Sig. - 09 Sep 2010 20:20:28

topendz998 · ‎09-10-2010

Actually my finding show Sophos on Ironport is not capturing these viruses. CASE is but not Sophos. CASE isn't active on our outbound email and I see instances of these being missed.

jaigill · ‎09-10-2010

Simon,

Thanks for the feedback.

Can you check the following on your ESA:

1. Your AV engine has the IDEs which were published to block these messages

2. The messages were indeed scanned by Sophos

Assuming both of the above are true, I would recommend that you open a case with Cisco Ironport Customer Support and submit samples that were not caught by Sophos. We would like to take a look at the samples and determine why they were not caught by your ESA.

Thanks!