Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Replica Watches Spam

Hello:

There's a kind of spam that my Ironport boxes are not quite well detecting and they are about replica watches.

The subjects are always the same:

"Imitations of the Best"
"Replica Wathes"
"Copy, or Original?"

The senders of this spam are zombies from my network that are directing the mail to the server of the network which is an Ironport farm.

I'm receving every day many reports from AOL about this spam and it started about three or four months ago.

I've reported some samples to the Ironport spam account.

Does anyone of you have problems this this kind of spam?

Regards:

Salvador

12 REPLIES

Re: Replica Watches Spam

Nope, but if the spam is coming from inside of your network, it shouldnt been passing through ironports, should it?

New Member

Re: Replica Watches Spam

This is an ISP and our Ironport machines are working as outgoing mail server for our costumers. More than I wish of them are zombies and they are sending spam to their outgoing mail server which is my Ironport farm. And then, the Ironport delivers to the MX of the destination.

In general it's working fine, but it's getting hard for it the detection of this spam about replica watches.

New Member

Missed spam

Have you tried submitting it to spam@access.ironport.com? AOL does tend to be a problem since spam attacks that concentrate on AOL tend to be a bit slower to get picked up by spam engines.

AOL is good about sending spam reports to the sender but not to places where spam engines could pick it up.

New Member

Re: Replica Watches Spam

I've submitted lots of reports from AOL to spam@access.ironport.com

Re: Replica Watches Spam

Whats ur relay config? allow the entire range?

Why dont block these connections and set relay only for true mail servers? end user machines should not have permission to relay at your ironport farm...

New Member

Re: Replica Watches Spam

Hello:

I should do. They are my costumers and the may want to send messages using their outgoing mail server, which is an Ironport farm.

The Ironport must block the spam which our users try to send, without knowing, to Internet.

Of course sometimes there are missed spam, when a new kind arises that is not detected and then relayed to the final destination, AOL for instance. But with this spam about replica watches it's failing since two or three months ago.

New Member

AOL Feedback loop

At my last position the AOL issue got so bad that we had to build a system to automatically parse the feedback messages and grep out the IP address of the source.

Once a source got too many reports we automatically put them into a DNS list so that the Ironport could rate limit them to 0 messages per hour. Once we did that we added a 'nicer' SMTP response directing customers to a special phone number and website to help them get their system cleaned up.

We got a good number of calls at first, but not as many as expected. The nice thing was that it really settled the number of complaints right down to almost nothing.

It isn't that hard to do with a bit of perl code.

New Member

Re: Replica Watches Spam

A lot of people on this forum are not aware of the challenges that an ISP faces...don't let it get you down. :)


Hello:

I should do. They are my costumers and the may want to send messages using their outgoing mail server, which is an Ironport farm.

New Member

Re: Replica Watches Spam

I don't know how feasible this is for your situation, but requiring SMTP authentication in order to send mail through your IronPort farm would help. I haven't yet heard of a spam zombie that could authenticate. I don't work for an ISP, but I do work for a major university with tens of thousands of workstations on our internal network using my mail server as their SMTP relay. This is not too dissimilar from the situation faced by a small to middle-sized ISP. We started requiring SMTP authentication for all outgoing mail back in 2004 to prevent exactly the problem you're having now. From a technical perspective, it isn't too hard. The biggest problem was user education. It took us months, but it was worth it.

New Member

Re: Replica Watches Spam

 The biggest problem was user education. It took us months, but it was worth it.


Yes, if fact that's the problem, how to tell over 100.000 hopeless users to change the configuration of their SMTP client. They will start to call saying they can't send messages.

It's hard to do in an ISP.

New Member

Re: Replica Watches Spam

Yes, if fact that's the problem, how to tell over 100.000 hopeless users to change the configuration of their SMTP client.

Our situation wasn't much better than yours. We had to tell 50,000. We did it by sending mail to all of them, since by definition they all had mailboxes on our server. We sent several messages over the course of several months (I don't remember the exact schedule). We also created some web pages explaining how to make the necessary changes in all the common mail programs, in order to keep the e-mail messages small (big e-mail messages tend to overwhelm people). Nevertheless, we still got many calls to our help desk after the deadline passed, but we had made sure the help desk was ready for it.

Like I said, it was lots of work. But it was worth it. Spam zombies are not a problem on our network.

Re: Replica Watches Spam

Its possible to do. It will require a lot of work...

bots and zombies are a real threat and cause a lot of damage through the net, probably it'll worth.

158
Views
0
Helpful
12
Replies