×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

undetected spam from the inside to outside

Unanswered Question
Nov 25th, 2010
User Badges:

Hi i have a ironport c150 in failover mode, everything is working fine, but the virus infected a PC, this send a lot of spam through the ironport.


i have activated the antispam on the relay list but nothing still sending spam how i cant detected from inside to outside?.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pvdberg00 Thu, 11/25/2010 - 04:35
User Badges:

You have to enable Anti Spam on the outgoing policies. There is allways the possibility that the particular mailmessage is not detected as SPAM. If so you have to define an outgoing filter to capture this message.

pvdberg00 Thu, 11/25/2010 - 04:50
User Badges:

The message is not detected as Spam by Case. You have to create an outgoing filter for the sender to capture the message.

pablosoyogui Thu, 11/25/2010 - 06:29
User Badges:

thats is a good idea, but every day apears a new spam for everybody i need to do this dosnt the anti spam by case automacally detected

pvdberg00 Thu, 11/25/2010 - 23:24
User Badges:

Maybe you can do something with the sending domain, I expect this is not one of your own domains ?

Christopher Smith Fri, 11/26/2010 - 07:11
User Badges:
  • Cisco Employee,

Keep in mind that the accuracy of anti-spam scanning out bound is not as accurate is scanning inbound. This is because we do not have an IP to validate against.  Though IPAS performs content scanning we still attempt to utilize the source IP address as a component in the signatures, if possible. Since these would originate from an internal address we would be missing some data. This is not to say that scanning outbound will not work, but it is just not as accurate in most cases.


I think you best bet here is to try to capture the message in question , in something such as an archive.  Ideally if this is the result of a system that is compromised you would want to isolate that system. Typically you would not want to allow individual systems direct access to the relaylist sendergroup, but instead only allow the mail server to relay through the appliance.



Christopher C Smith
CSE

Cisco IronPort Customer Support 

exMSW4319 Fri, 11/26/2010 - 13:28
User Badges:

I must be missing something here. Doesn't the submitted evidence show the connection came from the original poster's 10.20.2.15?


If that's a single device, why not add it to a new sender group ahead of your RELAYLIST (presuming a standard HAT) but set to BLOCKED, and if the user complains then tell them they've just lost their relay privileges and will have to get their IT desktop support to find the cause before those privileges are restored.


If it's a whole mail system, find the admin team responsible for it and ask them what they're going to do for connectivity if you rate-limit their system. Do point out that rate-limiting does not respect the importance of the message or the sender. Tracking down the virus abusing their system is their problem, and all you can do give them samples to work on.


In either case a mail caused by viral infection is completely unacceptable because it could potentially spead the virus further.

Actions

This Discussion