E-mail throttling or alert on high volume of e-mail from individual address?

Jason Meyer · ‎01-31-2013

In the past few months we have seen a huge increase in the number of Google Documents phishing attempts that are getting through our IronPort appliances. With 20k users we cannot eliminate all of them from giving out their credentials. So after that occurrs a BOT logs into their account and starts submitting e-mails with thousands of recipients sent outbound through our IronPort appliances.

We need a way to stop this.

Is there anything with IronPort that I can setup against an e-mail address all of a sudden sending thousands of e-mails a minute, where as their normal volume is in the tens a day. I would think that the appliance could keep track of volumes from individual addresses and set a profile for each address, then if the volume goes above that volume a e-mail/report is sent to an admin indicating high volume. We could even tune these alerts to say 10% over normal volume, 50% over normal volume etc...

I'm told that competitors products can do this very easily but I haven't found a way with IronPort to do it. The closest thing I've found is throttling by IP address, we'll we have 20K users that send through five IP addresses and it varies quite a bit.. so catching an individual account that all of a sudden sends 30k e-mails is pretty difficult.

Any thoughts or options?

jheadley · ‎01-31-2013

Jason,

There are some settings for Rate Limit for Envelope Senders located under Mail Policies\HAT\Mail Flow Policies. I have never used this but it allows you to limit the number of recipients per time interval. You can also add exceptions by creating and Adress List for those who would need to send more that the limit.

Jamie

Ken Stieers · ‎01-31-2013

What Jaime said...

I assume you're basically letting Gmail relay through you on one of your listeners?

Go to Mail Polices/HAT

Select the Listener that this mail comes from

Create a new Sender group and put the systems that they're sending through in that group.

Create a new MailFlow policy, and under Mail Flow Limits, look for "Rate Limit for Envelope Senders"

From the help:

Rate Limit for Sender
Max. Recipients per Time Interval	The maximum number of recipients during a specified time period that this listener will receive from a unique envelope sender, based on the mail-from address. The number of recipients is tracked globally. Each listener tracks its own rate limiting threshold; however, because all listeners validate against a single counter, it is more likely that the rate limit will be exceeded if messages from the same mail-from address are received by multiple listeners. Select whether to use the default maximum recipients, accept unlimited recipients, or specify another maximum number of recipients. Use the Default Mail Flow Policy settings to specify the maximum number of recipients and the time interval that will be used by the other mail flow policies by default. The time interval can only be specified using the Default Mail Flow Policy.
Sender Rate Limit Exceeded Error Code	The SMTP code returned when an envelope exceeds the maximum number of recipients for the time interval defined for this listener.
Sender Rate Limit Exceeded Error Text	The SMTP banner text returned when an envelope sender exceeds the maximum number of recipients for the time interval defined for this listener.
Exceptions	If you want certain envelope senders to be exempt from the defined rate limit, select an address list that contains the envelope senders. See Address Lists for more information.

Andreas Mueller · ‎02-05-2013

One additional note here, the Rate Limit by Envelope Sender is a feature that was introduced with AsyncOS 7.6, so it does not exist in previous versions.

Regards,

Andreas

Jason Meyer · ‎02-06-2013

So with a 452 error code being a soft failure the sending internal server will just queue up the e-mail for as long as it is configured to do so and keep trying to send the e-mail until IronPort says OK, the rate limit is no longer in effect and begin accepting the e-mail, or if too much time goes by the internal server will expire the message and bounce it back to the sender... Correct?

The e-mails are not being sent via a GMAIL account, they are being sent via a internally compromised account.

What would really help is if the IronPort spam filtering would pick up the phishing (using google docs) e-mails that are getting through the incoming filters.

Thanks for the input, really appreciate it.

Andreas Mueller · ‎02-11-2013

Jason,

that is correct indeed, 452 is basically your friendly hotline bot stating "All lines are busy right now, please try again later";-)

Regards,

Andreas

rajett · ‎03-12-2013

There is a white paper on the public Cisco.com web site that covers using multiple features on the ESA to combat the problem of phishing and oubound spam from compromised accounts getting you on blacklists.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/whitepaper_C11-720311.pdf

It walks you through these features, most notably Outbreak Filters and Rate Limit Per Mail From. Outbreak Filters will help with catching these inbound messages and Rate Limit Per Mail From will stop excessive senders such as bots. Use Administrative Alerts to have the ESA send an alert message when the rate limits are hit so you know immediately when there is a problem.

Thanks,

Raymond Jett

Technical Marketing Engineer

Cisco Email Security Products

Jason Meyer · ‎03-15-2013

Awesome White Paper, thank you for sharing the link...

rajett · ‎03-15-2013

Thanks! Glad you like it.

I originally wrote it as an internal lab guide to train our field sales engineers and thought it would be helpful as a customer facing white paper.

Raymond

Jason Meyer · ‎03-15-2013

As a side note, does anyone know when the "Rate Limit per Mail-From" feature was added? Again, really appreciate the White Paper and the other comments...

rajett · ‎03-15-2013

It was added in AsyncOS 7.6.x for Email.