Solved: Anyone receivig a lot more spam in the last few days?

Danny Vu · ‎02-19-2014

I've been getting 5-10 spam messages a day whereas a week ago I would only get a one or two every few days. Has there been an increase in spam from new botnets? My customers are also receving a lot more spam than normal. CASE has been updated to the latest and we continue to send the emails to spam@access.ironport.com but we continue to get them. If this is just due to more spam worldwide and the ESA can only catch so much then that's fine, but if anyone has any suggestions that can resolve this, it would be greatly appreciated.

Thanks,

Danny

Mathew Huynh · ‎02-27-2014

Hello Jeff ,
I'm sorry to hear you were having difficulties with opening a service request.
When using the IronPort portal, it is to my understanding that the email address you enter there should be one that is valid in your Cisco CCOID (this should be a Cisco ID you create and use to manager you contracts on the Contract portal)

If the email matches a valid CCOID, the system will do an auto check for contracts as well.

When this fails due to the email used in the portal not matching any CCOID with valid contract, it gets routed to our front-line agents who work on checking entitlement and getting your Cisco ID details.

Once all validated a case will be opened and it is crucial to ensure you remember Cisco ID, Serial number and linked contract for case opening

This is currently the way the system operates from my knowledge.

View solution in original post

jheadley · ‎02-20-2014

I have been seeing alot of obvious messages get through. Just this morning one with the subject containg

"Bosley hair restorartion" was accepted for some but dropped by case for others!

Enrico Werner · ‎02-20-2014

Hi,

if the amount of Spam you are receiving is abnormal high then I suggest opening a case with TAC and submit as many Spam samples as possible to spam@access.ironport.com. Or if possible download the plug-in and use that for submission.

Regards,

Enrico

jbalsman1 · ‎02-25-2014

We've been seeing a lot more spam over the past week or so and are having a hard time getting support to provide assistance. Use to require our serial number and now they ask for for some user ID or login ID to get assistance.

We don't have that, so we just get dropped by them.

I would recommend that when a customer opens a ticket via their portal on the Ironport appliance that the form sends information required. Shouldn't be this hard to get help.

Danny Vu · ‎02-25-2014

We opened a case and they said they had a bad case file that was causing the issue. They updated our engine and case file to resolve the issue, but it appears that it has not been resolved. We are still receiving a lot of spam we normally wouldn't so we re-opened the case with them.

Mathew Huynh · ‎02-27-2014

Hello Danny,

In regards to your spam issue, normally to diagnose why emails are passing the system when you open a case with us; if you could get the actual spam emails where all original headers are available, or to send them to spam@access.ironport.com as submissions where the automated system will review, but in instances where the emails are still passing.

Once the case is opened, provide us the date and time you sent said submissions and we'll escalate it.

A larger sample size is always best as well if you're able to provide.

It is also important to ensure that you also have the message tracking reflecting these emails ready for us to verify the mail flow to ensure it was not bypassing anything and such.

I hope this helps.

Matthew

Mathew Huynh · ‎02-27-2014

Hello Jeff ,
I'm sorry to hear you were having difficulties with opening a service request.
When using the IronPort portal, it is to my understanding that the email address you enter there should be one that is valid in your Cisco CCOID (this should be a Cisco ID you create and use to manager you contracts on the Contract portal)

If the email matches a valid CCOID, the system will do an auto check for contracts as well.

When this fails due to the email used in the portal not matching any CCOID with valid contract, it gets routed to our front-line agents who work on checking entitlement and getting your Cisco ID details.

Once all validated a case will be opened and it is crucial to ensure you remember Cisco ID, Serial number and linked contract for case opening

This is currently the way the system operates from my knowledge.

Bob Fayne · ‎03-05-2014

I would be interested to see what the incoming SBRS score was on some of those messages, assuming that you have it enabled. The symptoms that you describe with some messages passed and some dropped could be due to SBRS scores from different sending IPs.

SBRS has certainly been gamed in the past although it is normally a temporary issue. Once a sender manages to somehow get their SBRS score well into the plus range the act of abusing that usually gets caught in a day or so.

Danny Vu · ‎03-20-2014

Looks like spam is picking up again these last two days. Anyone see an increase in spam email getting in? The only reason I notice this is because i would normally receive 1 maybe 2 spam emails but when they hit 8 or more it seems like there might be an increase overall or an issue with the ESA.

jheadley · ‎03-21-2014

Yes, we are seeing the same issue. I opened a case yesterday (20 March 2014) and the suggestion was to manually force an update through the CLI using antispamupdate ironport force

The engineer said that our antispam engine was out of date (3 March 2014) so I did the update first thing this morning. Well after the update we still received spam related to heartburn which we have been seeing over the past few days.

I also asked why the engine was not updating automatically and here is the response:

"Depending on email volume it can be delayed on posting the correct date. Mail flow takes priority and these will always process ahead everything else.

So to be sure we are addressing the latest spam offenders, you should force the update to run as priority plus it will install a fresh copy of the entire engine."