cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7985
Views
0
Helpful
2
Replies

Help understanding ironport email flow report

endpoint
Level 1
Level 1

Hello

trying to understand the mail flow looking to ironport quaranteen report:

who sent this email

where was going and how was ended up in ironport quaranteen.

Particualrry i am wondering if user's computer is infected with some malware programs.

Many thanks

X-IronPort-AV: E=Sophos;i="4.93,546,1378882800"; d="scan'208";a="14548166"

Subject: [SPAM] Environmental corporation searching for representatives worldwide.

X-IronPort-Anti-Spam-Result: AmrsAE4TZlJ4inPe/2dsb2JhbACNL51bkniGZA

X-IronPort-Anti-Spam-Filtered: true

Received: from 222-115-138-120.mysipl.com ([120.138.115.222]) by smtp1.MYCOMPANY.com with ESMTP; 21 Oct 2013 23:01:02 -0700

Received: from [84.73.175.56] (account movementgsz873@gmail.com HELO crtummz.vbefoihhdphw.com) by 222-115-138-120.mysipl.com (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 705398280 for cgomez@MYCOMPANY.com; Tue, 22 Oct 2013 11:40:23 +0530

Date: Tue, 22 Oct 2013 11:40:23 +0530

From: <cgomez@MYCOMPANY.com>

X-Mailer: The Bat! (v3.0) Home

X-Priority: 3 (Normal)

Message-ID: <0782249119.3UGFV5TR374889@bmolaxpvvzww.ibbtxbwxvv.net>

To: <cgomez@MYCOMPANY.com>

MIME-Version: 1.0

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: 7bit

Environmental company looking for representation

6% commission on 200K monthly income derived from promotion and sales of proprietary environmental research information

Requirements:

- Own a company

- Daily E-mail, Skype or phone link with us

- Properly paced execution of all instructions

In case of expressing interest, please indicate these data:

-  Full name

-  Telephone number (including country code)

- City and Country

- Email

-  Age

Please answer to: Kelley@consult-googleapps.com

Best Regards,

Liaison dept

2 Replies 2

Greg Hopp
Level 1
Level 1

Yep, looks like good ol' fashioned spam to me.  Domain spoofing is extremely common.  I do not allow zip files in my org without looking at the message header first and for this reason.

It ended up in the quarantine because:  X-IronPort-Anti-Spam-Filtered: true

brusso
Level 1
Level 1

This email is SPAM, exactly the same as one I saw yesterday which was classified as SPAM.

The header information just tells you it was scanned by the anti-spam engine if

"X-IronPort-Anti-Spam-Filtered: true" is in the subject line. This is not an indiciation if it was filtered or not. The best indication to see the email flow is ;

login to your appliance via SSH and run the command “findevent”. You can search by envelope from, Message ID, Subject, or envelope to.

You can also access this by the GUI if you click on "Monitor" and navigate down to "message tracking". Then search for the message in question with the input fields. You should find the email in question and click "show details"

Either way will provide you with the mail flow details of that particular email.

Also, I would recommend checking out the following article on submitting SPAM samples;

https://supportforums.cisco.com/community/netpro/security/email/blog/2012/05/23/why-am-i-getting-spam-and-what-can-i-do-about-it

By submitting the samples is how we gather the data to continue to filter new threats.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: