|Email Plug-in (Reporting):||1.1.0-129|
|Email Plug-in (Encryption):||1.2.1-151|
I would say in the last week, we have seen an increase in random spam coming through our IronPort C160. We are on async version 7.6.0-444. It seems in the message logs quite a few get out there with random. My boss just got 3 pieces of spam mail in the last 10 minutes. Here are our the settings in anti-spam.
Anything you guys recommend? Why the uptick in spam all of a sudden?
|CASE Core Files||21 May 2014 12:13 (GMT +00:00)||3.3.1-009|
|CASE Utilities||21 May 2014 12:13 (GMT +00:00)||3.3.1-009|
|Structural Rules||03 Sep 2014 12:56 (GMT +00:00)||3.3.1-009-20140902_211701|
|Web Reputation DB||02 Sep 2014 11:48 (GMT +00:00)||20140902_113957|
|Web Reputation DB Update||03 Sep 2014 16:26 (GMT +00:00)||20140902_113957-20140903_162316|
|Content Rules||03 Sep 2014 17:21 (GMT +00:00)||20140903_172026|
|Content Rules Update||03 Sep 2014 17:21 (GMT +00:00)||20140903_172101|
My company also has seen a large increase this week. I have noticed spam coming in much more frequently since February. Every time I speak with support they say that they are trying to adjust to the snowshoe problem but haven't finalized the solution yet. They state that their competitors are having the same issue, but I have not been able to verify that.
Unfortunately, the spammers have not hit the high maintenance people in our company so they are making more noise than normal about the spam. My definitions look identical to yours and I am on 7.6.2-014.
I've been told by Don Glynn (North American lead of TAC) that possibly lowering the spam threshold to 48 or 49 may help a little but that Cisco does base the definitions on the default value of 50 so we haven't tried adjusting it yet.
What is surprising is that some of these emails are so obviously spam, just by the content and the words being used, I don't see how the system can't analyze the text to determine if it is spam. My previous system was Ironmail and they had a Bayesian system that would analyze the words in the body and would add scoring to identify spam.
If anyone has any ideas it would be helpful.
That is from GUI: Mail Policies > Incoming Mail Policies > Select the Anti-spam column associated to the mail policy name...
Spam Thresholds are at the bottom of the configuration options...
Ok I altered the values to 80 and 40 respectivly, and also slightly altered the SBRS score ranges for blacklist, throttled and allowed. Our CIO still got another piece of spam. I had him install the Ironport outlook plugin and report it as spam.
How can we stop this from getting in?
|Envelope and Header Summary|
|Received Time:||04 Sep 2014 11:57:32 (GMT -04:00)|
|Message Size:||1.39 (KB)|
|Subject:||Hey, Need_to_Finance _a_New_Car? (AllCreditOK)|
|Envelope Recipients:||-undisclosed recipients|
|Message ID Header:||<firstname.lastname@example.org>|
|SMTP Auth User ID:||N/A|
|Sending Host Summary|
|Reverse DNS Hostname:||point70.breadhosting.net (verified)|
I'm having same issue as everyone else, a huge increase in spam. Some stuff getting through that is obvious spam. Anyways I checked my antispam setting and here are my thresholds "always scan 128k or less and Never scan 1mb or more. Does this mean messages that are larger than 1mb are never scanned for spam?
I have opened many tickets in the last 8 months and nothing seems to be helping. I do submit spam using the plugin, but never really know what happens after submission. Should I increae the Always scan 128k? I have one spam from today that is size 5.75 (KB), so not sure if this setting would of helped.
"always scan 128k or less and Never scan 1mb or more. Does this mean messages that are larger than 1mb are never scanned for spam?
- This essentially means any emails from 1byte -> 128kb will be put under a full scan for all details, contents, headers, fingerprints and other aspects the engine will go through.
Anything between 128kb and 1mb will be put under a 'partial' scan
While anything above 1MB will bypass the spam scanners
The sample you receives that is 5.75kb will be subjected to a full scan.
Normally submissions to our database will have our automated processes update the rules respectively and push updates out.
However in the instance you are still seeing the same or similar emails pass despite submitting, i strongly suggest opening a TAC case for us to review and escalate the samples to our spam team engineers to review and possible write up further rules.
With addition, i strongly suggest all users who are experiencing an increase of spam to first ensure their devices are on version 7.6.3 onwards (to ensure system is supported and does correct some concerns with SBRS engine that was apparent in the older releases that are now EOL).
Also, if possible, you can upgrade to version 8.5.6 and utilize the "URL filtering" option to help with spam/phishing emails as well.
Full scan would utilize all spam rules and do a deep scan on every aspect the CASE engine would be looking for.
Partial scan would just be a high level overview of something that may look suspicious (to put it in general terms)
The depth of a full scan and scope is must deeper compared to a partial surface type scan.
Complete details into this cannot be shared however on the rule matching of the two instances due to Cisco Proprietary Information.
the configured "Always Scan" size of 128K should be increased. The size of Spam messages has increased over time and therefore we recommend 256K or even 512K. If your appliance is not consuming too much of system performance already then you can configure 512K. Otherwise first start with 256K and very the impact. Messages smaller than the always scan size will be fully scanned, except in cases of “early exit.” If you keep 128K then messages larger then this will only run through a limited scan up to a size of 3 MB in your case. For more details, configuration checks and fine tuning I recommend reading this blog post.
Wow Enrico, great blog post and a good find. I increased my 128k to 512k with no ill affects.
I also noticed most of the spam in the last 24 hours came from a domain .club. The spam is randomly about car warranties, installing windows from Lowes, cars under kelly blue book value, DIY projects, etc... But the one common denominator is the .club in the sender address. We do maintain a dictionary called blocked senders and in this I added some RegEx for .club just like I had to do for .us when we were spammed like crazy by them. The regex that I used is [^@]+@[^@]+\.club+
So in the message tracking I went back further prior to me entering this rule and I can see the message size was 1.11 KB. Here are some details:
Sending Host: field82.rubberhosting.org (verified) 18.104.22.168
Message 8554166 original subject on injection: Re: Clearance-Pricing has new Fords listed Below Kelly Blue Book.
Message 8554166 (1136 bytes) from email@example.com ready.
Message 8554166 matched per-recipient policy DEFAULT for inbound mail policies.
Message 8554166 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
Message 8554166 scanned by Anti-Spam engine CASE. Interim verdict: definitely negative.
Message 8554166 scanned by Anti-Spam engine: CASE. Final verdict: Negative
Message 8554166 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
Message 8554166 scanned by Anti-Virus engine. Final verdict: Negative
Message 8554166 scanned by Outbreak Filters. Verdict: Negative
Message 8554166 is not signed. No domain key profile matches firstname.lastname@example.org.
Message 8554166 not signed. No DKIM profile matched email@example.com.
Message 8554166 queued for delivery.
I did recieve one of the spam messages and I do have the Outlook plugin installed. I did click report as spam. So my understanding is that this will send the sample in the proper RFC compliant format to Cisco? If so I can get this plugin rolled out to more users so they can do the same thing.
I am hoping to upgrade to Async os 8.5 which has URL filtering in it, so these spam e-mails that contain malicious links can at least (if they get by) have the links removed or made unclickable. Our users are trained not to click on anything in an email they are not suspecting, and if they have any questions call IT first. But the human is the weakest link in the chain, so the more security we can place up front, the better.
it is correct that the plug-in submits the message in RFC compliant format. So rolling the plug-in out to users is a good idea as more people will use the plug-in and our systems get fed with missed Spam which helps us in improving catch rates even better. Submitting false negatives using the plug-in is the best way to get rid if this junk! If there is Spam messages you submitted and you want to get feedback on those you need to contact TAC. In future releases of AsyncOS you will have the possibility to manage Spam submissions, which at the moment is not possible.
Yes, version 8.5 will certainly add to the protection with URL filtering and Advanced Malware Protection (AMP)!
Just keep in mind that lowering the Spam thresholds too much may cause false positives. You have better control if you send Spam into the Spam quarantine instead of dropping. With a score of 90 dropping Spam is ok.