Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Interesting...another one.

I've had 2 reports of this so far today. A message comes in to the recipient, and the sender appears the same. In other words, it looks like the recipient sent this to themselves. However, if you look at the headers, it is coming from the Internet (different servers). Brightmail is marking it as Suspected SPAM.
In the first report, the Subject is '455' and the message body is '5556'. In the second report, the Subject is 586876' and the message body is '969'. That's it. Just the numbers. Nothing funny in the header. It is in HTML format, but nothing funny in the source.

10 REPLIES
New Member

Re: Interesting...another one.

We're getting heaps. The Brightmail Plugin doesn't want to report them as spam (as the self addressed envelope confuses it)

New Member

Re: Interesting...another one.

At first, I just thought that it was some sort of broken/sterile virus, but the more I think about it, it appears to be some form of SPAM. I dunno. Maybe it's some chickenboner, trying to set up his bulk mail application. The two that were reported to me yesterday were from different servers. Either proxies or a bot net. One was located in Russia, and another in Greece.
Yeah, the good ol' Brightmail Plugin. Doing us a favor by not allowing us to report our own users. I guess you can report them the old fashioned way. I'm beginning to wonder, though, if anyone ever reads those reports.
https://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=119&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1

New Member

me to

Looks like a worldwide issue.

http://isc.incidents.org/

I'm seeing the same. 30 just since midnight from 30 different domains all around the world.

New Member

Re: Interesting...another one.

Any workaraund for this?
We also got this type the last two days.

New Member

Re: Interesting...another one.

Two solutiona:

1) contact customer support they have a reommended filter.

2) filter/quarantine emails from the Internet which spoof your own domain.

New Member

Re: Interesting...another one.

any best practice to use message filters that macth from and to?
i.e:

if (mail-from == rcpt-to) {
then..
}

or

if (header('From') == header('To')) {
then..
}

TIA

New Member

From=To

Our company has Feature request #837 opened on this with IronPort. If you think that it would be helpful for you as well, you could send a message to support and asked to be added to the feature request.

New Member

Re: Interesting...another one.

Here's the scoop on this wave of spam.

According to Symantec, it's a new Beagle variant which they named W32.Beagle.FC. More information can be found on the link bellow:

W32.Beagle.FC

New Member

Re: Interesting...another one.

According to Symantec, it's a new Beagle variant which


Does Sophos already able to catch this? I don't get any kind of this anymore, so I disabled the filter.

New Member

Re: Interesting...another one.

Since the virus doesn't forward an infected attachment with the email, I doubt that Sophos is blocking it. It's probably either Brightmail or it may just be that the virus isn't very wide-spread anymore.

229
Views
0
Helpful
10
Replies
CreatePlease login to create content