09-09-2010 03:25 PM
Hello,
Cisco IronPort has identified a SPAM Outbreak with Subject "Here you have" and has published IronPort AntiSpam rules to protect from these messages.
If you notice the messages bypassing your Email Security Appliance, please verify that these messages are being scanned by IronPort AntiSpam via Message Tracking or Mail logs.
If these messages are not being scanned by IronPort AntiSpam due to Whitelisting or Policy exceptions, you can create an incoming content filter to catch these messages.
For additional information, please refer the KB article # 1629 below.
http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=1629&p_created=1284070094&p_sid=dZEAvC9k&p_accessibility=0&p_redirect=&p_srch=1&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MSwxJnBfcHJvZHM9MCZw...!!&p_li=&p_topview=1
Please feel free to contact Cisco IronPort Customer Support if you need additional assistance.
Best Regards,
Cisco IronPort Customer Support
09-09-2010 03:35 PM
Hello,
McAfee is also reporting this SPAM attack and has just posted an announcement regarding their work around to https://kc.mcafee.com/corporate/index?page=content&id=KB69857 . Cisco IronPort Email Security Appliance customers using McAfee and/or IPAS should now be catching this SPAM.
09-09-2010 03:48 PM
Trend Micro has just reported a similar issue at http://blog.trendmicro.com/old-malware-out-of-its-shell/
09-09-2010 04:05 PM
Cisco IronPort is updating our VOF filters right now
to catch and prevent the virus
worm called WORM_MEYLME.B. An announcement on the VOF updates will be made shortly.
09-09-2010 04:24 PM
Sophos has addressed this issue and is able to filter SPAM based on
the virus link. Sophose IDE details are available at
http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunbho.html09-09-2010 04:54 PM
How do I confirm which IDE is blocking this on Ironport?
09-09-2010 05:12 PM
Cisco IronPort IDE numbers above 2010090905 include the Sophos IDE fix for this virus. Below are the release details you can run 'antivirusstatus detail' to check for this IDE. example:
test.run> antivirusstatus detail
Sophos Anti-Virus:
Product - 4.56
Engine - 3.10.0
Product Date - 02 Aug 2010
Sophos IDEs currently on the system:
'Fake-Bsk.Ide' Virus Sig. - 10 Sep 2010 00:06:54
'Auto-Bho.Ide' Virus Sig. - 09 Sep 2010 20:20:28
09-10-2010 05:11 AM
Actually my finding show Sophos on Ironport is not capturing these viruses. CASE is but not Sophos. CASE isn't active on our outbound email and I see instances of these being missed.
09-10-2010 12:09 PM
Simon,
Thanks for the feedback.
Can you check the following on your ESA:
1. Your AV engine has the IDEs which were published to block these messages
2. The messages were indeed scanned by Sophos
Assuming both of the above are true, I would recommend that you open a case with Cisco Ironport Customer Support and submit samples that were not caught by Sophos. We would like to take a look at the samples and determine why they were not caught by your ESA.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide