cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1301
Views
0
Helpful
3
Replies

Anyone else seeing a sudden uptick in SPAM making it through their Ironports?

Bryan Hance
Level 1
Level 1

Quick question:

We updated our C170 to 8.5.6-092 last week, and since then we've seen a massive increase in SPAM making it through our Ironport undetected.
I've read some updates here re: SBRS and repengine issues after an 8.5.6-092 update, and have investigated these (both are OK) but nonetheless I am curious if others are seeing the same thing.

What I'd like to know is if these are just a new spam campaign that is making it through the Ironport filters, or if we have an actual technical issue after the 8.5.6-092 upgrade that I'm missing.

 

Current status:

Rule Type     Last Update     Current Version     New Update
-----------------------------------------------------------------------
CASE Core Files     Tue Sep 30 12:22:51 2014     3.3.1-009     Not Available
CASE Utilities     Tue Sep 30 12:22:51 2014     3.3.1-009     Not Available
Structural Rules     Mon Oct 6 08:08:52 2014     3.3.1-009-20141005_221700     Not Available
Web Reputation DB     Mon Oct 6 01:18:29 2014     20141006_081308     Not Available
Web Reputation DB Update     Mon Oct 6 09:18:56 2014     20141006_081308-20141006_161553     Not Available
Content Rules     Mon Oct 6 10:06:11 2014     20141006_170304     Not Available
Content Rules Update     Mon Oct 6 10:06:11 2014     20141006_170501     Not Available

 

In general, we're seeing spam with the following characteristics:

1) many originate from, or contain links to, .link domains

2) SBRS on these are clear (-1, -2) and gets a pass on the SBRS check

3) Sample subjects:

SENDER:     ExlusiveEnrollment@ratio.medicareinsofficial.link

SUBJECT:     Exclusive: Enrollment Plans from Blue-Cross, Humana, and AARP.
     
SENDER:     NewScanNotice@view.todaysinformedresult.link
SUBJECT:     Re: Someone has run-a-background scan on you. See-your results #190860649
      
SENDER:     Seeback@lsdn.background-info-online.link
SUBJECT:     Alert:Someone ran your background-scan. Read the results #1609820.01
     
SENDER:     OctoberFordEvent@ratio.largelycarsavings.link
SUBJECT:     Ford Cuts Prices to Make Quotas.

SENDER:     ArrestRecords@ratio.publicarrestrecordsdaily.link
SUBJECT:     Website May Expose Your Arrest Records. (see details)

SENDER:     notice@recordfiledetectautomate.net
SUBJECT:     Re: Your background-report may have been viewed on 10/03/14

 

4) Furthermore, many contain .link URL's in the content, and the newly added URLscanning seems to be giving these a total pass, too.

Some samples: http://signupnow.growingmedicareprovider.link , http://detailshere.largelycarsavings.link etc.

 

We're playing wack-a-mole with individual rules for subjects and .link domains, i.e. to flag and quarantine these as they come in, but I'd like to know if anyone else seeing this, or just me?

 

-b

3 Replies 3

Starla Rivers
Level 1
Level 1

We have not yet upgraded to 8.5 but either way still got hammered with these spam emails last week.  Also a bunch of jpeg based spam.  I used the Spam Reporting button to kick a bunch of these up to Cisco for evaluation.

 

exMSW4319
Level 3
Level 3

We should certainly post our concerns on any IronPort matter, but these boards are relatively open and I'd be wary of posting exact details in case it provides spammy with a convenient feedback loop. Rule Three is alas not always true.

For what it's worth - yes, we're seeing similar problems here. CASE details as yours with minor differences for the date, running 8.5.6-074.

Mathew Huynh
Cisco Employee
Cisco Employee

Hello Bryan,

Ideally for us to diagnose if there is a possible fault in your IronPort or with misconfiguration we would need you configuration file, complete message tracking information and also the actual samples which are passing the device.

 

Thus i would like to recommend you to open a Cisco TAC case with us so we can be of assistance.

 

///

In terms of the information provided (there maybe some other variables to consider as well).

 

I would suggest firstly running this command on your device if not already done.

CLI > updatenow force

Let the systems update all services again.

 

Continue to monitor.
These server IPs if they continue to send such emails their IP's will hit a blacklist.

 

However at this point, there are too many variables in place that can affect the scanning of these emails and reasons why they're passing.

 

 

EDIT:

8.5.6-092 revision corrects the SBRS connection that was witnessed in -074 as per the release notes.

 

Regards,

Matthew

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: