Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to block spam with subject "Here you have"?

Hello,
 
 
  Cisco IronPort has identified a SPAM Outbreak with Subject "Here you have" and has published IronPort AntiSpam rules to protect from these messages.
 
If you notice the messages bypassing your Email Security Appliance, please verify that these messages are being scanned by IronPort AntiSpam via Message Tracking or Mail logs.
 
If these messages are not being scanned by IronPort AntiSpam due to Whitelisting or Policy exceptions, you can create an incoming content filter to catch these messages.
 
For additional information, please refer the KB article # 1629 below.
 
http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1629&p_created=1284070094&p_sid=dZEAvC9k&p_accessibility=0&p_redirect=&p_srch=1&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MSwxJnBfcHJvZHM9MCZw...!!&p_li=&p_topview=1
 
Please feel free to contact Cisco IronPort Customer Support if you need additional assistance.
 
Best Regards,
Cisco IronPort Customer Support

8 REPLIES
New Member

Re: How to block spam with subject "Here you have"?

Hello,

McAfee is also reporting this SPAM attack and has just posted an announcement regarding their work around to https://kc.mcafee.com/corporate/index?page=content&id=KB69857 .  Cisco IronPort Email Security Appliance customers using McAfee and/or IPAS should now be catching this SPAM.

New Member

Re: How to block spam with subject "Here you have"?

Trend Micro has just reported a similar issue at http://blog.trendmicro.com/old-malware-out-of-its-shell/

New Member

Re: How to block spam with subject "Here you have"?

Cisco IronPort is updating our VOF filters right now

to catch and prevent the virus

worm called WORM_MEYLME.B. An announcement on the VOF updates will be made shortly.

New Member

Re: How to block spam with subject "Here you have"?

Sophos has addressed this issue and is able to filter SPAM based on

the virus link.  Sophose IDE details are available at

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunbho.html
New Member

Re: How to block spam with subject "Here you have"?

How do I confirm which IDE is blocking this on Ironport?

New Member

Re: How to block spam with subject "Here you have"?

Cisco IronPort IDE numbers above 2010090905 include the Sophos IDE fix for this virus.  Below are the release details you can run 'antivirusstatus detail' to check for this IDE.  example:

test.run> antivirusstatus detail

Sophos Anti-Virus:

   Product - 4.56
   Engine - 3.10.0
   Product Date - 02 Aug 2010

Sophos IDEs currently on the system:

   'Fake-Bsk.Ide'         Virus Sig. - 10 Sep 2010 00:06:54
   'Auto-Bho.Ide'         Virus Sig. - 09 Sep 2010 20:20:28

New Member

Re: How to block spam with subject "Here you have"?

Actually my finding show Sophos on Ironport is not capturing these viruses. CASE is but not Sophos. CASE isn't active on our outbound email and I see instances of these being missed.

Cisco Employee

Re: How to block spam with subject "Here you have"?

Simon,

Thanks for the feedback.

Can you check the following on your ESA:

1. Your AV engine has the IDEs which were published to block these messages

2. The messages were indeed scanned by Sophos

Assuming both of the above are true, I would recommend that you open a case with Cisco Ironport Customer Support and submit samples that were not caught by Sophos. We would like to take a look at the samples and determine why they were not caught by your ESA.

Thanks!

1313
Views
0
Helpful
8
Replies
CreatePlease login to create content