Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1314
Views
5
Helpful
3
Replies

High volume of spam email from SBRS None

tsilveruits
Level 1
Level 1

‎02-20-2018 01:19 PM - edited ‎03-08-2019 07:33 PM

Hi. We are seeing a high volume of spam coming from sources that have no SBRS scores. Is anyone else experiencing this? Some of the domains include:

 

skincare.howtogetridofwartsz.org

cats.surburbanpets.com

deck.cardscastgame.com

 

The domains don't accept emails (i.e, telnet to port 25 fails), so any bounces are being queued and retried. It would be preferable to not accept these emails at all, many of which, if not most, are being identified as spam. However, we deliver spam emails and place them in a spam folder for users to review, so we can't just drop them. Well, we could if we block the IPs, but there are so many of these domains popping up that trying to block by IP is not feasible, as they will just try from another domain tomorrow.

 

Any suggestions?

Labels:
0 Helpful
3 Replies 3

Mathew Huynh
Cisco Employee
Cisco Employee

‎02-20-2018 06:31 PM

Hey tsilveruits,

Is SBRS showing up as 'none' or 'unable to retrieve' as if it's the latter it could be some other concerns.

I can see that you have noted most if not all are already being identified as spam by the engines, these could be the behaviour of newly compromised/spun up mail servers sending out generic spam emails and once the servers do get a score assigned based on the algorithm on talos, they pull it down and open up another. In these circumstances as reactively blocking IPs will be never ending; unfortunately as per the settings of delivering to the end users to let them decide - we would not be able to stop it at the connection level.

Ideally though it is recommended to drop it if it's positive spam matched against CASE (given the CASE engine is quite indepth on it's analysis).

Regards,
Matthew
0 Helpful

tsilveruits
Level 1
Level 1
In response to Mathew Huynh

‎02-21-2018 06:57 AM - edited ‎02-21-2018 06:58 AM

Hi, Matthew. Thank you for that thorough and speedy response. To answer your question about the SBRS score, it is 'None'. It would be nice if we could drop them when CASE determines they are spam, and we may do so in the future. However, we are cautious. As you can imagine, it just takes one false positive resulting in an undelivered email to cause an uproar.

 

Our ESAs evaluate everything above a score of 80 as positive for spam, and scores above 40 are suspected spam. Both are delivered. If we could trust that emails with a score higher than 80 are identified as true positives, we could recommend dropping them. But I am not even sure where to find that information, or if we even have access to it.

 

Tim

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to tsilveruits

‎02-21-2018 04:09 PM

Hey Tsilveruits,

Thanks for getting back to me - ah yeah that's quite a predicament there.

Unfortunately the scores won't 'appear' on your side as it's hashed within the required headers we insert - but you can be sure that any verdicts over 90 *this is the defaulted values* we consider clear spam.

But you are right - if a False positive triggers it can lead to some concern.

 

Another alternative if not already used is, the consideration to send them to a quarantine (spam) and let end user decide if they want to trust the email or not and release/delete accordingly.

 

We won't be able to assign scores to IPs quick enough if the volume doesn't come on the sensors to allocate a score via the algorithm - and stopping all SBRS none is very aggressive and i suggest against that.

 

Regards,

Matthew

Customers Also Viewed These Support Documents