cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2028
Views
0
Helpful
10
Replies

Interesting...another one.

Corey_ironport
Level 1
Level 1

I've had 2 reports of this so far today. A message comes in to the recipient, and the sender appears the same. In other words, it looks like the recipient sent this to themselves. However, if you look at the headers, it is coming from the Internet (different servers). Brightmail is marking it as Suspected SPAM.
In the first report, the Subject is '455' and the message body is '5556'. In the second report, the Subject is 586876' and the message body is '969'. That's it. Just the numbers. Nothing funny in the header. It is in HTML format, but nothing funny in the source.

10 Replies 10

We're getting heaps. The Brightmail Plugin doesn't want to report them as spam (as the self addressed envelope confuses it)

Corey_ironport
Level 1
Level 1

At first, I just thought that it was some sort of broken/sterile virus, but the more I think about it, it appears to be some form of SPAM. I dunno. Maybe it's some chickenboner, trying to set up his bulk mail application. The two that were reported to me yesterday were from different servers. Either proxies or a bot net. One was located in Russia, and another in Greece.
Yeah, the good ol' Brightmail Plugin. Doing us a favor by not allowing us to report our own users. I guess you can report them the old fashioned way. I'm beginning to wonder, though, if anyone ever reads those reports.
https://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=119&p_li=cF91c2VyaWQ9MXJvblAwcnQmcF9wYXNzd2Q9Zm8wQmE1

Looks like a worldwide issue.

http://isc.incidents.org/

I'm seeing the same. 30 just since midnight from 30 different domains all around the world.

Any workaraund for this?
We also got this type the last two days.

Erich_ironport
Level 1
Level 1

Two solutiona:

1) contact customer support they have a reommended filter.

2) filter/quarantine emails from the Internet which spoof your own domain.

any best practice to use message filters that macth from and to?
i.e:

if (mail-from == rcpt-to) {
then..
}

or

if (header('From') == header('To')) {
then..
}

TIA

shannon.hagan
Level 1
Level 1

Our company has Feature request #837 opened on this with IronPort. If you think that it would be helpful for you as well, you could send a message to support and asked to be added to the feature request.

Moloch_ironport
Level 1
Level 1

Here's the scoop on this wave of spam.

According to Symantec, it's a new Beagle variant which they named W32.Beagle.FC. More information can be found on the link bellow:

W32.Beagle.FC

According to Symantec, it's a new Beagle variant which


Does Sophos already able to catch this? I don't get any kind of this anymore, so I disabled the filter.

Corey_ironport
Level 1
Level 1

Since the virus doesn't forward an infected attachment with the email, I doubt that Sophos is blocking it. It's probably either Brightmail or it may just be that the virus isn't very wide-spread anymore.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: