Yes, we've also recently started getting alot higher than usual amount of spam through our C160's as well. It started getting bad a few weeks ago - prior to that everything was acceptable.

Glad to know I'm not the only one.  A few weeks ago is when ours starting getting an unusual amount of spam too and prior to that pretty much no spam got through.  Thank you for replying, Andrew.

Feel free to dump your spam domains in here if you'd like.  Not sure if this is a good way of getting attention or not but it certainly bumps this thread up.  I may start posting daily, every few days, or weekly depending on the amount of new ones I find.

Here's today's spam domains:

@beanoblock.com
@childsafetyorganization.net
@energyandlifeboost.com
@knowingtheyaresafe.com
@keepsilentaffairs.me
@mendingyourspending.com
@paymenthistorycorrector.com

What software version are you running on your C160? We found these two to be running an older version and plan on updating them this weekend.

I am running AsyncOS Version 8.5.6-092 for our C160 which should be the latest version.  I certainly am not seeing any available updates after that when I check using the web interface.

Here's our Ironport Anti-Spam Rule Updates under Security Policy:

Rule Updates

Rule Type	Last Update	Current Version	New Update
CASE Core Files	Wed Sep 24 14:36:00 2014	3.3.1-009	Not Available
CASE Utilities	Wed Sep 24 14:36:00 2014	3.3.1-009	Not Available
Structural Rules	Tue Nov 11 20:36:27 2014	3.3.1-009-20141111_003901	Not Available
Web Reputation DB	Tue Nov 11 04:21:33 2014	20141111_091710	Not Available
Web Reputation DB Update	Thu Nov 13 13:06:55 2014	20141111_091710-20141113_180615	Not Available
Content Rules	Thu Nov 13 15:38:41 2014	20141113_203801	Not Available
Content Rules Update	Thu Nov 13 15:38:41 2014	20141113_203801	Not Available

I'm not sure how old the CASE Core Files and Utilities are supposed to be.  Those may only be updated every few weeks perhaps.  But if they are supposed to be updated more regularly they aren't being listed as a new available update so I have no idea.

Here's another spam domain dump:

@createyourhealingpath.net
@easypathtohealth.com
@maitlandmo.jaxnatureservices.com
@nt2.farmersonly.com
@rebuildthebod.com
@recallenhancement.com
@retainyourrecall.com
@yourbesthealling.com
@yourhomehelpplace.com

The amount of spam has vastly increased over the past 2 years and has surpassed the fall of 2010 when some major botnets were taken down. Adding to this is the doubling of the percentage of spam that is using snowshoe methods and an increase in spam that uses very large file attachments to bypass scanning.

Snowshoe spam uses fresh IPs - often hijacked ranges using bad BGP route injections - and rapidly changing messages. These messages are never the same and the URLs are not reused. They are designed to thwart detection.

There are things you can do to help with the rising levels of spam and I have a new white paper out on Cisco.com that will help you understand how to tweak the appliance to further increase the catch rates. This will help you in the meantime while waiting on the next release of AsyncOS for Email which will directly address the snowshoe spam issue.

http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-732910.html

Raymond

Raymond - the white paper link above doesn't seem to be working.  I am very interested in reading this as we too are experiencing a huge increase in our incoming spam.  Thank you.

I'm likewise very keen to see that paper, as the problems we are facing match Raymond's description. When logged on to the forum I get a Forbidden File or Application browser window from the link:

Forbidden File or Application

The file or application you are trying to access may require additional entitlement, or you are trying to access a file with an invalid name. Additional entitlement levels are granted based on a user's relationship with Cisco on a per-application basis.

If you feel you have reached this page in error, please try one of the following methods to locate your document:

1. If you are manually entering the URL into your browser location bar, be sure to include the file name of the page you are trying to access (file names typically end in .htm, .html or .shtml).
2. Use the Search feature located in the upper right section of this page.
3. Return to the Cisco.com Home or select a primary site area from the top navigation bar.
4. Consult with your Cisco Account Manager to confirm you have the appropriate entitlement to access this page.

If you would like to contact someone about this problem, please click the Contacts & Feedback link below.

It requires customer level access. Please make sure your CCO account is associated with your support contracts and that you login to Cisco.com before opening the link.

Raymond,

We've tried that... still doesn't work.

Look at the attached pic... I'm logged in, and can get to secured stuff (the old knowledgebase for example...), and it still returns "Forbidden File...."

Maybe you should just attach it here, while you chase down why we can't get to it.

Ken

Ken, I can't access the white paper either.

So Cisco, I have this 3 years of service for my Cisco IronPort C160 associated with this Cisco account yet I'm unable to view this white paper that assists with making it work better?  Why is that?  Do I need to buy some sort of general all-purpose Cisco Support contract in order to gain access to white papers or download things such as the Outlook plug-in that allows you to even report spam?  That seems like a pretty big oversight.  You'd think you'd want people to be able to help report spam to help benefit every IronPort user but that feature is locked behind some sort of pay wall.

Raymond, I'm glad to hear that there is a new version of AsyncOS to address the snowshoe spam issue.  Is there an ETA on when we can expect that update to arrive?  Thank you for the insight on what is causing this spam problem.

Not sure if I should continue to dump spam domains now that I know its fairly futile but here I go:
@theinshapepeople.com
@nuoithu.com
@bringhealthcare.com
@deptstorenearyou.com
@brainstormbrainstore.com
@increasingmindfunction.com
@enchantbrain.com
@asbuildmind.com
@asbuildbrain.com

Bumping this to say that a month later and the fake spam domain emails caused by snowshoe spam are still happening.  Any news on the new AsyncOS version that will address this issue?  I'd really like an Ironport C160 that blocks this junk again.  It was a nice thing to have.

More garbage domains:
@gedfid.com
@cavitysod.com
@ranwithout.com
@choreif.com
@tawbeans.com
@mefax.com
@farmersonly.com
@gotofitnesss.com
@yourschoolpay.net
@edurapidconsolidate.com
@yourenhancedmind.com
@improvedcognition.com
@evolveip.net
@betteringthebuns.com
@slimmingcheeks.com
@themaleissuesource.com
@mensprimesourcing.com
@klienenergyconsult.com
@youreportandwatchservices.com
@yourenerginovat.com
@rhubcom.com
@directshades.com
@taxvenue.com
@usapennymovers.com
@yourotcskyrockets.com
@idlehearing.net

Cisco, it has been 4 months and the snowshoe issue still persists.  There hasn't been a software update of any kind.  I am still getting tons of spam because of this!  My employers are annoyed!  I'm annoyed!  Please fix this problem or at least give us an ETA for when this will be fixed or a recommendation on a product you offer that actually blocks snowshoe spam.  If i don't see a reply to this soon I will make a new thread until I do get one.  This is ridiculous.

Here's 74 more garbage domains:
@bndhomeafford.com
@gmonewsradar.com
@yourquicklendsource.com
@gettheinfoonsugar.com
@historycorrection.com
@homeaffrefprog.com
@superfasttraffic898.com
@816rapidhost.com
@walkerthinphysio.com
@wrightflightservices.com
@hallnutraservices.com
@syssrc.com
@oliverlbsloss.com
@active.comtayc.eu
@value14.youthasianladies.work
@by.cadonroy.eu
@sjwforum.org
@qcdinc.com
@willeasememorylose.click
@thinnerhappieryou.com
@exploreamazonrwds.com
@dannerwebcommerce.com
@abrainboosters.com
@olsonmindlabs.com
@flyingswonus.com
@flemmingproteinlabs.com
@ryzor11.silentinteractionslike.work
@bennetfinanserv.com
@greggearclinic.com
@brainhelppremium.com
@amazonamazerwd.com
@beatdiabetestmrw.com
@neuroflexynn.com
@aneuroflexyn.com
@ayonsunpanel.com
@yourswvouchersrc.com
@daytonwoodwork.com
@stewartrapidnet.com
@davisnutritionists.com
@yangsolarpartners.com
@acostalendcenter.com
@dennonpowersys.com
@youradvancedhealthsrc.com
@hairlosslogix.com
@amazshopvoucher.com
@easyandquicksource.com
@ladhearing.com
@janfinbanking.com
@woodydiyproject.com
@woodsprojectharps.com
@reviteheeart.com
@zhaocaibet.com
@bestofswal.com
@endlesswoodplans.com
@yoursuperbowlspace.com
@superbowlendgame.com
@vizvenlend.com
@secureyourslim.com
@yourtotalhealthconcerned.com
@familysafetyshown.com
@ssprd7.net
@revampingmycardio.com
@opinonmatterstous.com
@usafinsgettingbetter.com
@wednesdayamazons.com
@getamazonrwd.com
@getbetterbloodsugar.com
@carsonthelost.com
@aksflightgroup.com
@thye.dk
@caredhealthy.click
@longheallabs.com
@lifestyleprotectme.com
@amazonshopgate.com

Hey Chris,

I've just reviewed this thread and also the most recent update to your on-going thread as well.

While my apology to this issue facing you may not deter the spam emails but I still feel like an apology is necessary with little updates on this thread and also the frustrations on-going on your side on the ESA systems and the spam capturing.

As per your concern with no update availability for the newer snowshoe spam emails that continues to pass the system.

As late as it may be; I just wanted to let you know that the development team has been working closely with our spam team to assist with an update for the catch rate of Snowshoe spam emails.

At this point a new anti-spam engine, CASE 3.4.1 is on the pipeline for enhanced scanning procedures and engine updates to assist with anti-snowshoe features.

While it's still on the pipeline, I will keep you posted with this update as soon as I receive further details that can be shared; at this point as a TAC engineer, this information is still being sorted out with our Dev and product teams on the CASE 3.4.1 deployment restrictions/plans.

EDIT: It seems the CASE engine 3.4.1 will not be available for Cisco X60 Hardware (IE: C160, C360, C660 and X1060). It is currently rolled out in the X80 platform and virtual platforms.

X70's are currently still on review.
 

Regards,

Matthew