Solved: Increase your mailbox size - email threat

The-Messenger · ‎06-29-2011

I have been hit with an email threat - subject starts out as "Increase Your Mailbox Size", there is a link in the email. I am guessing that this initiates when a user clicks on the link, but the link is disabled now.

We’ve had at least a couple users click this, I have filters to prevent this particular subject from coming in. But, when this thing starts up it sends out thousands of emails. The emails go out with 200 recipients per email, the subject changes – I’ve seen these subjects –

ATTENTION BENEFICIARY!!

MAILBOX QUOTA FULL

INCREASE YOUR MAILBOX SPACE

Promotion of sum of

Promotion sum

Anyone else seen this? I’m still not sure that I won’t have another user that has it. It has been difficult to trace the source, seems to have come back after a computer was wiped and mailbox cleaned. Ironport av isn’t catching it incoming or outgoing.

Christopher Smith · ‎07-05-2011

Greetings

Although I have not seen this one specifically this sounds like one of the many targeted phishing attacks going around lately. Ideally we would like to catch this before the user ever see's it. If the subject title is always the same you can of course create a simple filter to drop these messages. If possible we would like to get copies so that we can work towards updating the antispam rule sets to block this type of message.

I am including instructons on that process below.

To send a missed spam or message incorrectly marked as "not-spam" email to IronPort Systems for examination, there are a number of ways to submit messages.

Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
For customers using clients other than Microsoft Outlook, go to your email program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
(NOTE: All submitted messages must be in the RFC 822 format and ONLY that format. Any other formats (such as S/MIME) are currently not compatible with the submission tool.)

Note: Unless submitted through a plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be RFC-822 compliant attachments. Forwards of previously forwarded messages cannot be processed at this time.

Send false negative (missed spam) to spam@access.ironport.com
Send false positive (mail marked as spam, but is actually ham) email and false positive marketing mail to IronPort Systems to ham@access.ironport.com
Send missed marketing mail to ads@access.ironport.com

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once we receive submissions from a customer or from other sources, these messages are passed through automated classification systems that makes use of our latest rule set. If these messages are tagged by the new rule-set as spam, they are classified as such. Due to a delay in receiving samples and generating rules, many of the missed-spam messages usually have rules published between the time they are received by our customers and reported to us.

There are some messages that are part of new spam trends or new variants that are sufficiently different or new spam strains that are not classified by automated systems. Basically, any messages that are held for classification due to some mitigating factors are held for human review. We attempt to get to these messages within 2-3 hours of them being injested into the corpus.

Note: Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.

Christopher C Smith

CSE

Cisco IronPort Customer Support

View solution in original post

Christopher Smith · ‎07-05-2011

Greetings

Although I have not seen this one specifically this sounds like one of the many targeted phishing attacks going around lately. Ideally we would like to catch this before the user ever see's it. If the subject title is always the same you can of course create a simple filter to drop these messages. If possible we would like to get copies so that we can work towards updating the antispam rule sets to block this type of message.

I am including instructons on that process below.

To send a missed spam or message incorrectly marked as "not-spam" email to IronPort Systems for examination, there are a number of ways to submit messages.

Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
For customers using clients other than Microsoft Outlook, go to your email program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
(NOTE: All submitted messages must be in the RFC 822 format and ONLY that format. Any other formats (such as S/MIME) are currently not compatible with the submission tool.)

Note: Unless submitted through a plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be RFC-822 compliant attachments. Forwards of previously forwarded messages cannot be processed at this time.

Send false negative (missed spam) to spam@access.ironport.com
Send false positive (mail marked as spam, but is actually ham) email and false positive marketing mail to IronPort Systems to ham@access.ironport.com
Send missed marketing mail to ads@access.ironport.com

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once we receive submissions from a customer or from other sources, these messages are passed through automated classification systems that makes use of our latest rule set. If these messages are tagged by the new rule-set as spam, they are classified as such. Due to a delay in receiving samples and generating rules, many of the missed-spam messages usually have rules published between the time they are received by our customers and reported to us.

There are some messages that are part of new spam trends or new variants that are sufficiently different or new spam strains that are not classified by automated systems. Basically, any messages that are held for classification due to some mitigating factors are held for human review. We attempt to get to these messages within 2-3 hours of them being injested into the corpus.

Note: Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.

Christopher C Smith

CSE

Cisco IronPort Customer Support

The-Messenger · ‎07-06-2011

Thank you!

I have sent the original message to this threat through the Cisco Outlook plugin for submitting spam, phishing, etc. I am going to send 2 of the resulting messages also.

I would like to know more about this!! If this did in fact hijact an OWA session, I would really like to know that, get Microsoft in on this. I have not seen this before, it would be good for myself and other Exchange Admins to know this information.

So, is there a way I can hear back on what is found from the messages I submit?

Kirk

jgandla · ‎07-06-2011

Greetings Kirk,

Please open a support case to follow up on your submissions. That way we can track this information and forward you any responses from our Rules team.

Regards,

Jyothi Gandla

Customer Support.

Christopher Smith · ‎07-06-2011

Hi Kirk,

Currently that system does not provide any direct feedback to the customer related to what you submit. You can however open a ticket with support and support can in turn query the Case Operations Group for more data on what you have submitted.

I did find a little more information about this specific threat as posted on the web. These appear to fall under Nigerian and 419 scams and their variants.

ATTENTION BENEFICIARY!!

MAILBOX QUOTA FULL

INCREASE YOUR MAILBOX SPACE

Promotion of sum of

Promotion sum

http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/e7303482-66dc-4bc6-9edd-d53d45265505

Christopher C Smith
CSE

Cisco IronPort Customer Support