cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4620
Views
0
Helpful
13
Replies

Blocking Spam Issues

nickswitzer
Level 1
Level 1

When I add a content filter for a spam URL that's in a hyperlink, I am still receiving spam that passes through the IronPort.  Is there a limit on how short the url can be?  Am I entering it wrong?  Is there a guide of some sort that will help me with random questions like this?

Thanks,

13 Replies 13

Rehan Latif
Cisco Employee
Cisco Employee

Hi Nick,

There is no limit on theURL length at all. However, the functionality of the filter depends on how you define the string to match. If you can provide currenlty configured filter along with one of the URLs from spam message, we would be in better position to provide you possible solution.

Latest version of AsyncOS has a feature that can re-write URLs to redirect users through Cisco Cloud Web Security. This will help you combat the spam with URLs in it that get through to the end users.'

Regards,

Rehan Latif

Rehan,

I appreciate the reply.  I am adding the url as http://clck.ru in the Condition as "Message Body or Attachment".  I've also added just "clck.ru".  After enabling this rule, I've still received spam with the underlying url as one from this domain (i.e. http://clck.ru/nkjd93/) .  I've also tried to block phrases in the "Message Body or Attachment" such as "most nice drugs", but they also seemed to have slipped through.  Another example is trying to block anything from bbb.org, which is also not working.  I added those as the Envelope sender being *@*bbb.org and bbb.org, along with several other variations.  Is there something I am missing?

Sincerely,

Nick Switzer

Hi Nick,

Have you check reverse DNS host name and IP. This could be different to envelope sender. Not sure how the blacklist works, but is worth trying. I had a similar issue with whitelisting. It was not working correctly without whitelisting the source IP rather than envelope sender domain name. This can be check in message tracking>SHow Details "Sending Host Summary" section.

This is my first post on this forum so please correct me if I am wrong.

Regards

Mariusz

Well here's the thing,  When I go to Mail Policies on the Web Interface (C160) and click Incoming Content Filters, I add a filter.  The envelope sender is just one of several issues.  I've blocked by specificying the IP address.  But I've also tried to block via URLs in the hyperlinks, phrases of words, and by domain.  We keep receiving spam even with the filters in place.  I have 42 filters with multiple rules per filter (they are organized by who or what the spam is about, i.e. Paypal or Amazon).  Blocking specific words is still allowing some spam to go through.  I've blocked the words viagra and cialis, yet still receive spam. 

I am not sure if I am not formatting the filters correctly, have something setup incorrectly on the ironport itself, or what.  We have noticed some spam reduction, so apparently it is working to some degree.  But I can't figure out why some still slips through.

Knuto0815
Level 1
Level 1

Hi Nick.

I would prefer message filters over content filters in this case. You won't waste ressources on spam and virus recognition on messages you just want to get rid of.

I would try something like that:

if (recv-listener == "IncomingMail") AND (dictionary-match("spam_phrases") { drop (); }

Therefore you should also define a dictionary that contains the phrases that identify the unwanted mails. Of course you should modify the name of the listener to your needs.

The filter itself drops mails that are received on the listener "IncomingMail" and are matching in their body against the dictionary "spam_phrases". If you want to match against headers, attachments, subjects, etc there are other dictionary match commands as well.

Best regards

Mirko

Mirko,

Thanks for the help.  I wrote a dictionary and added a few words to it.  I was wondering if I should create a list of IPs and just add to the list each time so they can be dropped.  Wondering if I need to add this as a filter or what?  I was using the GUI before, hence all of the content filters, but know that the CLI is probably much more powerful and will be quicker once I get it setup correctly. 

I think I need to create a list for IPs, Envelope Sender, and anything else you can think of.  Since I already have a dictionary for spam words, do I just add the underlying URLs in hyperlinks in this same dictionary? 

Also, I noticed ^postmaster@$ was an example in the 6.5 AsyncOS and was wondering what the difference was between ^ and $. 

Sorry for all of the questions, as I am not sure of syntax and the best way to setup our ironport.  I want to try and do this the correct way.

We also have another ironport incase the second one goes down (it does not handle anything, but I'm supposed to keep the records up to date like I do on the first).  Is there a way to push, or would I just export any dictionary and filter, and import them?

I have the ESA_6.5.0_GA_CLI_Reference_Guide.pdf but was wondering if there were any books or anything you or someone else might recommend I get in order to help me with these questions.

Thanks for all of your help.

-Nick

Nick,

Are the IP's where the mail is coming from? or in the text of the email... if they're where the mail is coming from, put them on the Blacklist... that way your box just doesn't talk to them...

As far as books, first off, I'd get up to date, 7.6.1 is currently shipping, lots of advances in the software... so get the current software, and the current docs.

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_AdvancedGuide.pdf

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_Configuration_Guide.pdf

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_Daily_Management_Guide.pdf

If you can't get to 7.6, get these:

http://www.cisco.com/en/US/docs/security/esa/esa6.5/user_guide/ESA_6.5.3_GA_Basic_User_Guide.pdf

http://www.cisco.com/en/US/docs/security/esa/esa6.5/adv_user_guide/ESA_6.5.3_GA_Advanced_User_Guide.pdf

Also, the regex engine is from Python, so a Python book with a GOOD regex section would be useful, but you could use this to start:  http://docs.python.org/howto/regex.html

^postmaster@$ is a regex

^ matches the start of a line (or string)

$ matches the end of a line (or string)

So this one means the whole string must be    postmaster@   

nothing before, nothing after.

There's no way to push the dictionairies, just move them from one box to the other.. you can FTP to the box and get the file and ftp them up to the backup... though you might want to think about getting them both into the mailflow... so that if one DOES go down, mail keeps flowing without intervention...

Ken

Thank Ken.  I wasn't sure if the ^ was in reference to beginning or if it was a wildcard that matched something else.  I appreciate that.  I am upgrading to 7.6 on the "backup" ironport.  So once that is done, and no problems, I will go through the upgrade on the "live" ironport.

I will be going through the docs you sent, which is greatly appreciated.

As for configuring the both for the mailflow, I'd like to do that, but obviously am not sure how.  I may do some more research after I configure the first a little better.  Hopefully them being at two different physical locations (same network) doesn't matter.

If you have any other advice, I'm all ears.

I appreciate all of the help from everyone

Thanks again.

-Nick

So a few questions:

How do you handle spam quarantines?  Are your users allow to go in and look at it/release mail if its caught?

Do you have an M-series Ironport box?

What email system are you using?

Ken

Ken,

We currently use content filters to block spam.  Nothing quarantined.  We have a C160 ironport and our email system is Exchange 2007.

Ok so step 1, get everything up to date...

Figure out if you have the "Centralized Managment" license.  This can allow you to "cluster" the boxes so that they get the same config, except for the network stuff... If you don't, that's ok, but you'll have to sync the config via some other method... (ftp, by hand in the GUI, etc...)  This is covered in the Advanced Config document.

Once both are configed, expose the other one to the internet just like you have for the prod one...Then go to your external DNS, and have a second MX record put in, pointed at your "backup" box.  You can have the preference set to a higher number so that it isn't the mailer of first choice (most spammers don't honor this...)

If you send your outbound through the Ironports, you'll want to point the Exchance connector at the new box as well...

If you're doing Spam Quarantine, things get more complicated because you end up with a quarantine on each box, and the users will have to look in each one to see if anything should be released...

Post to the forum as you move foward and we can get more specific answers as you need them.

Ken

Hi Nick,

> We currently use content filters to block spam.

Does that mean you are not using IPAS (IronPort Anti Spam) or IMS (Intelligent Multi-scan)?  If not, I would recommend consider using one of them. Content filter is only trying to match provided strings.

On the other hand, IPAS/IMS can mark  a message as Spam/Suspected Spam by looking at quite a few characteristics. Both of them are signature based and Cisco has dedicated team responsible to update signatures regularly.

Regards,

Rehan

Thanks Ken, I deifnitely will.

Rehan,

We are using IronPort Anti Spam.  We just updated, so hopefully many of the issues I was having as far as spam.