https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483245#M417417 <HTML><HEAD></HEAD><BODY><P>hi Patrick,</P><P></P><P>no, the white list shouldnt matter on the db look up.&nbsp; Can you resolve the IP to your site and then run the find command against the IP and let me know what it says.</P><P></P><P>regards,</P><P>scott</P></BODY></HTML> Thu, 26 Aug 2010 19:54:09 GMT Scott Nishimura 2010-08-26T19:54:09Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483237#M417401 <P>I have a customer that has the botnet filter installed, they were having issues sending email to one of their partners, because the botnet filter was classifying this site as very high Malware.&nbsp; I check senderbase and there reputation is good.&nbsp; How do you check a domain on the Cisco Security Intelligence Operations site.&nbsp; How do you report a miss classification of a domain.&nbsp; How do you go about getting removed from the list.</P><P></P><P>Thank You</P><P>Patrick Weir</P> Fri, 21 Feb 2020 12:03:57 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483237#M417401 Patrick Weir 2020-02-21T12:03:57Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483238#M417405 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: arial,helvetica,sans-serif;">Hi Patrick,</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;"><BR /></SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">you can check from within the ASA to see if its showing up in the DB or not. </SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;"><BR /></SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">You can use the following command:</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;"><BR /></SPAN></P><PRE><SPAN style="font-family: arial,helvetica,sans-serif;">dynamic-filter database find X<BR /><BR />X= the site name<BR /><BR />I would suggest doing both the host name and the IP.&nbsp; this can determine if its a grey entry or not. <BR />If you find an entry, its a blacklisted entry.&nbsp; Grey entries are basically that the name was not <BR />detected to have malicious sw but the ip that the name resolved to has a site that does.<BR /></SPAN></PRE><P><SPAN style="font-family: arial,helvetica,sans-serif;"><BR /></SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Another check that can be done is:</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;"><BR /></SPAN></P><PRE><SPAN style="font-family: arial,helvetica,sans-serif;"><A href="http://www.siteadvisor.com/sites/X" target="_blank" title="http://www.siteadvisor.com/sites/X">http://www.siteadvisor.com/sites/X</A>&nbsp;&nbsp;&nbsp;&nbsp; x=url<BR /><BR />example:<BR /><BR /><A href="http://www.siteadvisor.com/sites/yahoo.com" target="_blank" title="http://www.siteadvisor.com/sites/yahoo.com">http://www.siteadvisor.com/sites/yahoo.com</A><BR /><BR />If it does show up in the database as flagged then the immediate solution is to add the site to the white list.&nbsp; The DB is maintained by ironport. <BR />hope this helps a bit. <BR /><BR />-scott</SPAN><BR /></PRE></BODY></HTML> Thu, 26 Aug 2010 18:06:32 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483238#M417405 Scott Nishimura 2010-08-26T18:06:32Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483239#M417407 <HTML><HEAD></HEAD><BODY><P>Hi Patrick,</P><P></P><P><SPAN>just to further clarify, the db that the botnet uses is not one db but multiple ones including senderbase along with other DBs avail like </SPAN><A class="jive-link-external-small" href="http://www.threatexpert.com/">http://www.threatexpert.com/</A><SPAN> and the one mentioned in my previous message.</SPAN></P><P></P><P>The correct way to get around false positives would be to put the entry into the white list.&nbsp; As for getting it removed, you would have to open up a tac case on that.&nbsp; There is a reason for it being on the list if it is getting listed as black or grey. </P><P></P><P>Let us know what its showing on the various sites as well as what the find command is showing on your ASA.</P><P></P><P>thanks,</P><P>scott</P></BODY></HTML> Thu, 26 Aug 2010 18:22:08 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483239#M417407 Scott Nishimura 2010-08-26T18:22:08Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483240#M417409 <HTML><HEAD></HEAD><BODY><P>Scott thanks for the answer we did white list it, and that resolved the problem.&nbsp; So when</P><P>a site gets listed in the blacklist is it per subnet, per domain, or per host.&nbsp; An example this is an email server that is being hosted by a 3rd party, if this same 3rd party is hosting a webserver (that is sending malware) belonging to a differant company but in the same address space, would the whole subnet get blacklisted or just the one webserver.</P><P></P><P>Thanks</P><P>Pat Weir</P></BODY></HTML> Thu, 26 Aug 2010 18:40:11 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483240#M417409 Patrick Weir 2010-08-26T18:40:11Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483241#M417410 <HTML><HEAD></HEAD><BODY><P>ran the site through siteadvisor and it came back good.</P></BODY></HTML> Thu, 26 Aug 2010 18:44:48 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483241#M417410 Patrick Weir 2010-08-26T18:44:48Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483242#M417411 <HTML><HEAD></HEAD><BODY><P>Hi Patrick,</P><P></P><P>Depending on the find command whether its showing black on the name or IP, it can determine if its a grey or black list.&nbsp;&nbsp; Its possible that the same IP if the web server is hosting multiple sites, can be classified as malware and affect all of them. </P><P></P><P>It wouldnt really block based on the subnet, but more of the name and the ip associated with it.</P><P></P><P>what did the find command show for your particular site?</P><P></P><P>-scott</P></BODY></HTML> Thu, 26 Aug 2010 19:02:50 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483242#M417411 Scott Nishimura 2010-08-26T19:02:50Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483243#M417414 <HTML><HEAD></HEAD><BODY><P>it's a customer of mine I need him to run it.&nbsp; I'll post what sends me</P></BODY></HTML> Thu, 26 Aug 2010 19:04:15 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483243#M417414 Patrick Weir 2010-08-26T19:04:15Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483244#M417416 <HTML><HEAD></HEAD><BODY><P class="MsoNormal"><SPAN style="color: navy; font-size: 10pt; font-family: Arial; ">ISC-ASA# dynamic-filter database find ironmail.<REMOVED>.com</REMOVED></SPAN></P><P class="MsoNormal"><SPAN style="color: navy; font-size: 10pt; font-family: Arial; ">Found 0 matches</SPAN></P><P class="MsoNormal"><SPAN style="color: navy; font-size: 10pt; font-family: Arial; ">ISC-ASA#</SPAN></P><P class="MsoNormal"><SPAN style="color: navy; font-size: 10pt; font-family: Arial; ">ISC-ASA#</SPAN></P><P class="MsoNormal"><SPAN style="color: navy; font-size: 10pt; font-family: Arial; ">ISC-ASA#</SPAN></P><P class="MsoNormal"></P><P class="MsoNormal"><SPAN style="color: navy; font-size: 10pt; font-family: Arial; ">is this because it's in the whitelist</SPAN></P></BODY></HTML> Thu, 26 Aug 2010 19:30:22 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483244#M417416 Patrick Weir 2010-08-26T19:30:22Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483245#M417417 <HTML><HEAD></HEAD><BODY><P>hi Patrick,</P><P></P><P>no, the white list shouldnt matter on the db look up.&nbsp; Can you resolve the IP to your site and then run the find command against the IP and let me know what it says.</P><P></P><P>regards,</P><P>scott</P></BODY></HTML> Thu, 26 Aug 2010 19:54:09 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483245#M417417 Scott Nishimura 2010-08-26T19:54:09Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483246#M417418 <HTML><HEAD></HEAD><BODY><P>Scott I will not be able to get this today, but from the gui report this morning it looks like it resolved it just</P><P>fine. </P><P>It had</P><P>ironmail.<REMOVED>.com (xx.xx.xx.xx) port 25 LOGGED 420 dropped 420 very high malware</REMOVED></P><P></P><P>Thanks again</P><P></P><P>Pat</P></BODY></HTML> Thu, 26 Aug 2010 20:43:32 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483246#M417418 Patrick Weir 2010-08-26T20:43:32Z https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483247#M417419 <HTML><HEAD></HEAD><BODY><P>Hi Patrick,</P><P></P><P>sounds good.. let me know the reporting based on the Ip with the find command.&nbsp; its looking like maybe its grey listed.</P><P></P><P>thanks,</P><P>scott</P></BODY></HTML> Thu, 26 Aug 2010 22:05:11 GMT https://community.cisco.com/t5/network-security/asa-botnet-blocking-email/m-p/1483247#M417419 Scott Nishimura 2010-08-26T22:05:11Z