cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6223
Views
25
Helpful
13
Replies

Increase in email spam lately

keithsauer507
Level 5
Level 5

I would say in the last week, we have seen an increase in random spam coming through our IronPort C160.  We are on async version 7.6.0-444.  It seems in the message logs quite a few get out there with random.  My boss just got 3 pieces of spam mail in the last 10 minutes.  Here are our the settings in anti-spam. 
 

Anything you guys recommend?  Why the uptick in spam all of a sudden?

IronPort Anti-Spam Overview
IronPort Anti-Spam Scanning:Enabled
Message Scanning Thresholds:Always scan 128K or less.
Never scan 3M or more.
Timeout for Scanning Single Message:120 seconds
Regional Scanning:Off
CASE Core Files21 May 2014 12:13 (GMT +00:00)3.3.1-009
Not Available
CASE Utilities21 May 2014 12:13 (GMT +00:00)3.3.1-009
Not Available
Structural Rules03 Sep 2014 12:56 (GMT +00:00)3.3.1-009-20140902_211701
Not Available
Web Reputation DB02 Sep 2014 11:48 (GMT +00:00)20140902_113957
Not Available
Web Reputation DB Update03 Sep 2014 16:26 (GMT +00:00)20140902_113957-20140903_162316
Not Available
Content Rules03 Sep 2014 17:21 (GMT +00:00)20140903_172026
Available
Content Rules Update03 Sep 2014 17:21 (GMT +00:00)20140903_172101
Available
No updates in progress.

 

 

13 Replies 13

Danny Vu
Level 1
Level 1

My company also has seen a large increase this week.  I have noticed spam coming in much more frequently since February.  Every time I speak with support they say that they are trying to adjust to the snowshoe problem but haven't finalized the solution yet.  They state that their competitors are having the same issue, but I have not been able to verify that.

Unfortunately, the spammers have not hit the high maintenance people in our company so they are making more noise than normal about the spam.  My definitions look identical to yours and I am on 7.6.2-014. 

I've been told by Don Glynn (North American lead of TAC) that possibly lowering the spam threshold to 48 or 49 may help a little but that Cisco does base the definitions on the default value of 50 so we haven't tried adjusting it yet. 

What is surprising is that some of these emails are so obviously spam, just by the content and the words being used, I don't see how the system can't analyze the text to determine if it is spam.  My previous system was Ironmail and they had a Bayesian system that would analyze the words in the body and would add scoring to identify spam. 

If anyone has any ideas it would be helpful.

Where do you lower the spam threshold from 50 to 48 or 49?  Is that done in the listener's area somewhere?

That is from GUI: Mail Policies > Incoming Mail Policies > Select the Anti-spam column associated to the mail policy name...

Spam Thresholds are at the bottom of the configuration options...

Ok I altered the values to 80 and 40 respectivly, and also slightly altered the SBRS score ranges for blacklist, throttled and allowed.  Our CIO still got another piece of spam.  I had him install the Ironport outlook plugin and report it as spam.

How can we stop this from getting in?

Envelope and Header Summary
Received Time:04 Sep 2014 11:57:32 (GMT -04:00)
MID:8565070
Message Size:1.39 (KB)
Subject:Hey, Need_to_Finance _a_New_Car? (AllCreditOK)
Envelope Sender:Car_Finder@bestvaluenewcarsfound.net
Envelope Recipients:-undisclosed recipients
Message ID Header:<0.0.8e99f46743d75efac190a7f5720f07d8.7687914.10201183.0@bestvaluenewcarsfound.net>
SMTP Auth User ID:N/A
Attachment Attachments:N/A
Sending Host Summary
Reverse DNS Hostname:point70.breadhosting.net (verified)
IP Address:209.95.37.187
SBRS Score:None

 

 

Processing Details
 MAIL POLICY "DEFAULT" MATCHED THESE RECIPIENTS: undisclosed recipient
04 Sep 2014 11:57:31 (GMT -04:00)Protocol SMTP interface Management (IP 192.168.1.200) on incoming connection (ICID 13310837) from sender IP 209.95.37.187. Reverse DNS host point70.breadhosting.net verified yes.
04 Sep 2014 11:57:31 (GMT -04:00)(ICID 13310837) ACCEPT sender group SUSPECTLIST match sbrs[none] SBRS None
04 Sep 2014 11:57:32 (GMT -04:00)SMTP delivery connection (DCID 4387118) opened from Cisco IronPort interface 192.168.1.200 to IP address 10.1.1.3 on port 25.
04 Sep 2014 11:57:32 (GMT -04:00)Delivery connection (DCID 4387118) successfully accepted TLS protocol TLSv1 cipher RC4-SHA .
04 Sep 2014 11:57:32 (GMT -04:00)Start message 8565070 on incoming connection (ICID 13310837).
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 enqueued on incoming connection (ICID 13310837) from Car_Finder@bestvaluenewcarsfound.net.
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 on incoming connection (ICID 13310837) added recipient (undisclosed recipient).
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 SPF: helo identity postmaster@bestvaluenewcarsfound.net Pass
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 scanned by engine SPF Verdict Cache using cached verdict.
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 SPF: mailfrom identity Car_Finder@bestvaluenewcarsfound.net Pass
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 does not contain DKIM signature.
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 contains message ID header '<0.0.8e99f46743d75efac190a7f5720f07d8.7687914.10201183.0@bestvaluenewcarsfound.net>'.
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 original subject on injection: Hey, Need_to_Finance _a_New_Car? (AllCreditOK)
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 (1425 bytes) from Car_Finder@bestvaluenewcarsfound.net ready.
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 matched per-recipient policy DEFAULT for inbound mail policies.
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 scanned by Anti-Spam engine: CASE. Final verdict: Negative
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 scanned by Anti-Virus engine. Final verdict: Negative
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 scanned by Outbreak Filters. Verdict: Negative
04 Sep 2014 11:57:32 (GMT -04:00)Message 8565070 queued for delivery.
04 Sep 2014 11:57:32 (GMT -04:00)(DCID 4387118) Delivery started for message 8565070 to undisclosed recipient.
04 Sep 2014 11:57:33 (GMT -04:00)(DCID 4387118) Delivery details: Message 8565070 sent to undisclosed recipient
04 Sep 2014 11:57:33 (GMT -04:00)Message 8565070 to undisclosed recipient received remote SMTP response '2.6.0 <0.0.8e99f46743d75efac190a7f5720f07d8.7687914.10201183.0@bestvaluenewcarsfound.net> Queued mail for delivery'.

 

Evening,

I'm having same issue as everyone else, a huge increase in spam. Some stuff getting through that is obvious spam.  Anyways I checked my antispam setting and here are my thresholds "always scan 128k or less and Never scan 1mb or more.  Does this mean messages that are larger than 1mb are never scanned for spam?

I have opened many tickets in the last 8 months and nothing seems to be helping.  I do submit spam using the plugin, but never really know what happens after submission.  Should I increae the Always scan 128k?  I have one spam from today that is size 5.75 (KB), so not sure if this setting would of helped.

"always scan 128k or less and Never scan 1mb or more.  Does this mean messages that are larger than 1mb are never scanned for spam?

- This essentially means any emails from 1byte -> 128kb will be put under a full scan for all details, contents, headers, fingerprints and other aspects the engine will go through.

 

Anything between 128kb and 1mb will be put under a 'partial' scan

 

While anything above 1MB will bypass the spam scanners

 

The sample you receives that is 5.75kb will be subjected to a full scan.

Normally submissions to our database will have our automated processes update the rules respectively and push updates out.

However in the instance you are still seeing the same or similar emails pass despite submitting, i strongly suggest opening a TAC case for us to review and escalate the samples to our spam team engineers to review and possible write up further rules.

 

With addition, i strongly suggest all users who are experiencing an increase of spam to first ensure their devices are on version 7.6.3 onwards (to ensure system is supported and does correct some concerns with SBRS engine that was apparent in the older releases that are now EOL).

 

Also, if possible, you can upgrade to version 8.5.6 and utilize the "URL filtering" option to help with spam/phishing emails as well.

 

What is the difference between a full scan and a partial scan?

(my audit dept wants to know)

 

Full scan would utilize all spam rules and do a deep scan on every aspect the CASE engine would be looking for.


Partial scan would just be a high level overview of something that may look suspicious (to put it in general terms)

 

The depth of a full scan and scope is must deeper compared to a partial surface type scan.

 

Complete details into this cannot be shared however on the rule matching of the two instances due to Cisco  Proprietary Information.

nevermind, found the answer to my question

Enrico Werner
Cisco Employee
Cisco Employee

Hi,

the configured "Always Scan" size of 128K should be increased. The size of Spam messages has increased over time and therefore we recommend 256K or even 512K. If your appliance is not consuming too much of system performance already then you can configure 512K. Otherwise first start with 256K and very the impact. Messages smaller than the always scan size will be fully scanned, except in cases of “early exit.”   If you keep 128K then messages larger then this will only run through a limited scan up to a size of 3 MB in your case. For more details, configuration checks and fine tuning I recommend reading this blog post.

Best regards,

Enrico

 

Wow Enrico, great blog post and a good find.  I increased my 128k to 512k with no ill affects.

I also noticed most of the spam in the last 24 hours came from a domain .club.  The spam is randomly about car warranties, installing windows from Lowes, cars under kelly blue book value, DIY projects, etc...  But the one common denominator is the .club in the sender address.  We do maintain a dictionary called blocked senders and in this I added some RegEx for .club just like I had to do for .us when we were spammed like crazy by them.  The regex that I used is [^@]+@[^@]+\.club+

So in the message tracking I went back further prior to me entering this rule and I can see the message size was 1.11 KB.  Here are some details:

Sending Host:  field82.rubberhosting.org (verified) 162.251.160.14

Message 8554166 original subject on injection: Re: Clearance-Pricing has new Fords listed Below Kelly Blue Book.

Message 8554166 (1136 bytes) from fordappreciation@markbestcarsdeals.club ready.

Message 8554166 matched per-recipient policy DEFAULT for inbound mail policies.

Message 8554166 scanned by Anti-Spam engine: CASE. Interim verdict: Negative

Message 8554166 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.

Message 8554166 scanned by Anti-Spam engine: CASE. Final verdict: Negative

Message 8554166 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN

Message 8554166 scanned by Anti-Virus engine. Final verdict: Negative

Message 8554166 scanned by Outbreak Filters. Verdict: Negative

Message 8554166 is not signed. No domain key profile matches fordappreciation@markbestcarsdeals.club.

Message 8554166 not signed. No DKIM profile matched fordappreciation@markbestcarsdeals.club.

Message 8554166 queued for delivery.

 

I did recieve one of the spam messages and I do have the Outlook plugin installed.  I did click report as spam.  So my understanding is that this will send the sample in the proper RFC compliant format to Cisco?  If so I can get this plugin rolled out to more users so they can do the same thing.

I am hoping to upgrade to Async os 8.5 which has URL filtering in it, so these spam e-mails that contain malicious links can at least (if they get by) have the links removed or made unclickable.  Our users are trained not to click on anything in an email they are not suspecting, and if they have any questions call IT first.  But the human is the weakest link in the chain, so the more security we can place up front, the better.

Hi,

it is correct that the plug-in submits the message in RFC compliant format. So rolling the plug-in out to users is a good idea as more people will use the plug-in and our systems get fed with missed Spam which helps us in improving catch rates even better. Submitting false negatives using the plug-in is the best way to get rid if this junk!  If there is Spam messages you submitted and you want to get feedback on those you need to contact TAC.  In future releases of AsyncOS  you will have the possibility to manage Spam submissions, which at the moment is not possible.

Yes, version 8.5 will certainly add to the protection with URL filtering and Advanced Malware Protection (AMP)!

Just keep in mind that lowering the Spam thresholds too much may cause false positives. You have better control if you send Spam into the Spam quarantine instead of dropping. With a score of 90 dropping Spam is ok.

 

How do we get access to that blog post? I'm getting 'not authorized to view page'.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: