10-06-2014 10:18 AM
Quick question:
We updated our C170 to 8.5.6-092 last week, and since then we've seen a massive increase in SPAM making it through our Ironport undetected.
I've read some updates here re: SBRS and repengine issues after an 8.5.6-092 update, and have investigated these (both are OK) but nonetheless I am curious if others are seeing the same thing.
What I'd like to know is if these are just a new spam campaign that is making it through the Ironport filters, or if we have an actual technical issue after the 8.5.6-092 upgrade that I'm missing.
Current status:
Rule Type Last Update Current Version New Update
-----------------------------------------------------------------------
CASE Core Files Tue Sep 30 12:22:51 2014 3.3.1-009 Not Available
CASE Utilities Tue Sep 30 12:22:51 2014 3.3.1-009 Not Available
Structural Rules Mon Oct 6 08:08:52 2014 3.3.1-009-20141005_221700 Not Available
Web Reputation DB Mon Oct 6 01:18:29 2014 20141006_081308 Not Available
Web Reputation DB Update Mon Oct 6 09:18:56 2014 20141006_081308-20141006_161553 Not Available
Content Rules Mon Oct 6 10:06:11 2014 20141006_170304 Not Available
Content Rules Update Mon Oct 6 10:06:11 2014 20141006_170501 Not Available
In general, we're seeing spam with the following characteristics:
1) many originate from, or contain links to, .link domains
2) SBRS on these are clear (-1, -2) and gets a pass on the SBRS check
3) Sample subjects:
SENDER: ExlusiveEnrollment@ratio.medicareinsofficial.link
SUBJECT: Exclusive: Enrollment Plans from Blue-Cross, Humana, and AARP.
SENDER: NewScanNotice@view.todaysinformedresult.link
SUBJECT: Re: Someone has run-a-background scan on you. See-your results #190860649
SENDER: Seeback@lsdn.background-info-online.link
SUBJECT: Alert:Someone ran your background-scan. Read the results #1609820.01
SENDER: OctoberFordEvent@ratio.largelycarsavings.link
SUBJECT: Ford Cuts Prices to Make Quotas.
SENDER: ArrestRecords@ratio.publicarrestrecordsdaily.link
SUBJECT: Website May Expose Your Arrest Records. (see details)
SENDER: notice@recordfiledetectautomate.net
SUBJECT: Re: Your background-report may have been viewed on 10/03/14
4) Furthermore, many contain .link URL's in the content, and the newly added URLscanning seems to be giving these a total pass, too.
Some samples: http://signupnow.growingmedicareprovider.link , http://detailshere.largelycarsavings.link etc.
We're playing wack-a-mole with individual rules for subjects and .link domains, i.e. to flag and quarantine these as they come in, but I'd like to know if anyone else seeing this, or just me?
-b
10-06-2014 10:31 AM
We have not yet upgraded to 8.5 but either way still got hammered with these spam emails last week. Also a bunch of jpeg based spam. I used the Spam Reporting button to kick a bunch of these up to Cisco for evaluation.
10-11-2014 03:48 AM
We should certainly post our concerns on any IronPort matter, but these boards are relatively open and I'd be wary of posting exact details in case it provides spammy with a convenient feedback loop. Rule Three is alas not always true.
For what it's worth - yes, we're seeing similar problems here. CASE details as yours with minor differences for the date, running 8.5.6-074.
10-14-2014 07:58 PM
Hello Bryan,
Ideally for us to diagnose if there is a possible fault in your IronPort or with misconfiguration we would need you configuration file, complete message tracking information and also the actual samples which are passing the device.
Thus i would like to recommend you to open a Cisco TAC case with us so we can be of assistance.
///
In terms of the information provided (there maybe some other variables to consider as well).
I would suggest firstly running this command on your device if not already done.
CLI > updatenow force
Let the systems update all services again.
Continue to monitor.
These server IPs if they continue to send such emails their IP's will hit a blacklist.
However at this point, there are too many variables in place that can affect the scanning of these emails and reasons why they're passing.
EDIT:
8.5.6-092 revision corrects the SBRS connection that was witnessed in -074 as per the release notes.
Regards,
Matthew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: