Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

OKS/OKSANA/OKSANKA/OKSI SPAM

Hi,

 

13th of this month again there was wide spread OKS/OKSANA/OKSANSKA/OKI SPAM on Croatia companies mostly coming from Croatia, Poland and Romania.

There is no chance to fight against spam like that because sources are different and legit,

there is no attachment with virus (some with .jpg and some without attachment).

 

But does anybody now what BOT network is doing this SPAM and why because it's not some typical phishing - maybe only mapping active email addresses?

2 me it's looks like users machines are compromised with some type of malicious code that is spreading SMTP username/password from email clients over that BOT network and then they started to SPAM. I don't have any workstation that is compromised or sending this type of e-mail so I can do some malware analysis :( but does anybody know some more info?

 

Example of SPAM:

From:     Oksi <zbigniew.sobisz@polmor.pl>
Envelope Recipient:     firstname.lastname@company.hr
To:     "firstname.lastname@company.hr" <firstname.lastname@company.hr>
Subject:     [SPAM] Oksana
Date:     13 Jul 2014 16:33 (GMT +02:00)


Received: from mx2.company.hr ([10.79.2.25]) by mta.internal.local with ESMTP; 13 Jul 2014 16:33:54 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Arn7ALqXwlPUVWQtdGdsb2JhbAARSIQHE407nmsJAQEGiFIBgXyKTIE8hhICgSEPAQwVCDyED4EXFQEBCx4VARcXFw0GAgEBiCoBAQEVAYktllSHHI8GiH8Bh1gXGIVjhyOBSxEBhRoBBJEtgQKBRQGHGTmEA4JUgRaPV4Fb
X-IPAS-Result: Arn7ALqXwlPUVWQtdGdsb2JhbAARSIQHE407nmsJAQEGiFIBgXyKTIE8hhICgSEPAQwVCDyED4EXFQEBCx4VARcXFw0GAgEBiCoBAQEVAYktllSHHI8GiH8Bh1gXGIVjhyOBSxEBhRoBBJEtgQKBRQGHGTmEA4JUgRaPV4Fb
Subject: [SPAM] Oksana
X-IronPort-AV: E=Sophos;i="5.01,653,1400018400"; d="jpg'145?scan'145,208,145";a="2513097"
Received: from v001061.home.net.pl ([212.85.100.45]) by mx2.carina.hr with SMTP; 13 Jul 2014 16:34:15 +0200
Return-Path: <zbigniew.sobisz@polmor.pl>
Received: from 78.96.174.132 [78.96.174.132] (HELO kgzgb) by polmor.home.pl [212.85.100.45] with SMTP (IdeaSmtpServer v0.80) id 69ef4eafcdca2bbe; Sun, 13 Jul 2014 16:34:14 +0200
Message-ID: <201407131034.00013.zbigniew.sobisz@polmor.pl>
Date: Sun, 13 Jul 2014 10:34:14 -0400
From: Oksi <zbigniew.sobisz@polmor.pl>
Reply-To: Oksi <Oksana-za@gmx.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20100724 Thunderbird/2.0.0.19
To: "firstname.lastname@company.hr" <firstname.lastname@company.hr>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="-4537164180-020582809-5818977545=:76819"

How are you doing? My name is Oksana! I want a boyfriend. I love travelling and painting. Send me email on Oksana_zaehorr@gmx.com Bye, Oksana!

[attachment: "28bns.jpg"]

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

In review of the information

In review of the information provided, with the IPAS result and associated scoring, I can advise that this is being tagged as positive spam.  Reviewing submitted spam to our operations reporting (spam@access.ironport.com), I do see other reports of these mails as well.

More than likely, when this first started, you were receiving the un-detected first wave.  

In best support for issues like this - submitting samples directly to us will effectively help combat what you receive, and the time that we can turn it around and get it updated into the active IPAS rule sets.

How do you report Content Security Anti-Spam false positives or missed spam?

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

2 REPLIES
Cisco Employee

In review of the information

In review of the information provided, with the IPAS result and associated scoring, I can advise that this is being tagged as positive spam.  Reviewing submitted spam to our operations reporting (spam@access.ironport.com), I do see other reports of these mails as well.

More than likely, when this first started, you were receiving the un-detected first wave.  

In best support for issues like this - submitting samples directly to us will effectively help combat what you receive, and the time that we can turn it around and get it updated into the active IPAS rule sets.

How do you report Content Security Anti-Spam false positives or missed spam?

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

New Member

I'll put as Answerd but

I'll put as Answerd but initial question was does anyone now what BOTNET network create that spam attack beacuse it useses legitimate SMTP gateways and so on.

I was satisfied how Ironport intelligence has dealt with that SPAM during the SPAM attack, you cannot fight against it. Legitimate emails, no URL that is malicious, no attachment with zip that contains malicious PDF or EXE and so on...

I don't report SPAM to spam@access.ironport.com because I don't want to install Ironport SPAM Outlook plugin on client PC or I don't bother calling customer to provide me with original email with header's not only forward mail and so on. I want option that I can report SPAM so I forward customer mail and provide you with message tracing log where you can see headers.

 

 

243
Views
0
Helpful
2
Replies