cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1532
Views
0
Helpful
4
Replies

Increase your mailbox size - email threat

The-Messenger
Level 1
Level 1

I have been hit with an email threat - subject starts out as "Increase Your Mailbox Size", there is a link in the email.  I am guessing that this initiates when a user clicks on the link, but the link is disabled now.

We’ve had at least a couple users click this, I have filters to prevent this particular subject from coming in. But, when this thing starts up it sends out thousands of emails. The emails go out with 200 recipients per email, the subject changes – I’ve seen these subjects –

ATTENTION BENEFICIARY!!

MAILBOX QUOTA FULL

INCREASE YOUR MAILBOX SPACE

Promotion of sum of

Promotion sum

Anyone else seen this? I’m still not sure that I won’t have another user that has it. It has been difficult to trace the source, seems to have come back after a computer was wiped and mailbox cleaned. Ironport av isn’t catching it incoming or outgoing.

1 Accepted Solution

Accepted Solutions

Greetings

Although I have not seen this one specifically this sounds like one of the many targeted phishing attacks going around lately. Ideally we would like to catch this before the user ever see's it. If the subject title is always the same you can of course create a simple filter to drop these messages. If possible we would like to get copies so that we can work towards updating the antispam rule sets to block this type of message.

I am including instructons on that process below.

To send a missed spam or message incorrectly marked  as "not-spam" email to IronPort Systems for examination, there are a  number of ways to submit messages.

  • Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
  • For  customers using clients other than Microsoft Outlook, go to your email  program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
  • (NOTE: All  submitted messages must be in the RFC 822 format and ONLY that format.   Any other formats (such as S/MIME) are currently not compatible with  the submission tool.)

Note: Unless submitted through a  plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be  RFC-822 compliant attachments. Forwards of previously forwarded  messages cannot be processed at this time.

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once  we receive submissions from a customer or from other sources, these  messages are passed through automated classification systems that makes  use of our latest rule set. If these messages are tagged by the new  rule-set as spam, they are classified as such. Due to a delay in  receiving samples and generating rules, many of the missed-spam messages  usually have rules published between the time they are received by our  customers and reported to us.

There are some messages that are  part of new spam trends or new variants that are sufficiently different  or new spam strains that are not classified by automated systems.  Basically, any messages that are held for classification due to some  mitigating factors are held for human review. We attempt to get to these  messages within 2-3 hours of them being injested into the corpus.

Note:  Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.

Christopher C Smith

CSE

Cisco IronPort Customer Support

View solution in original post

4 Replies 4

Greetings

Although I have not seen this one specifically this sounds like one of the many targeted phishing attacks going around lately. Ideally we would like to catch this before the user ever see's it. If the subject title is always the same you can of course create a simple filter to drop these messages. If possible we would like to get copies so that we can work towards updating the antispam rule sets to block this type of message.

I am including instructons on that process below.

To send a missed spam or message incorrectly marked  as "not-spam" email to IronPort Systems for examination, there are a  number of ways to submit messages.

  • Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
  • For  customers using clients other than Microsoft Outlook, go to your email  program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
  • (NOTE: All  submitted messages must be in the RFC 822 format and ONLY that format.   Any other formats (such as S/MIME) are currently not compatible with  the submission tool.)

Note: Unless submitted through a  plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be  RFC-822 compliant attachments. Forwards of previously forwarded  messages cannot be processed at this time.

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once  we receive submissions from a customer or from other sources, these  messages are passed through automated classification systems that makes  use of our latest rule set. If these messages are tagged by the new  rule-set as spam, they are classified as such. Due to a delay in  receiving samples and generating rules, many of the missed-spam messages  usually have rules published between the time they are received by our  customers and reported to us.

There are some messages that are  part of new spam trends or new variants that are sufficiently different  or new spam strains that are not classified by automated systems.  Basically, any messages that are held for classification due to some  mitigating factors are held for human review. We attempt to get to these  messages within 2-3 hours of them being injested into the corpus.

Note:  Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.

Christopher C Smith

CSE

Cisco IronPort Customer Support

Thank you!

I have sent the original message to this threat through the Cisco Outlook plugin for submitting spam, phishing, etc.  I am going to send 2 of the resulting messages also.

I would like to know more about this!!  If this did in fact hijact an OWA session, I would really like to know that, get Microsoft in on this.  I have not seen this before, it would be good for myself and other Exchange Admins to know this information.

So, is there a way I can hear back on what is found from the messages I submit?

Kirk

Greetings Kirk,

Please open a support case to follow up on your submissions. That way we can track this information and forward you any responses from our Rules team.

Regards,

Jyothi Gandla

Customer Support.

Hi Kirk,

Currently that system does not provide any direct feedback to the customer related to what you submit. You can however open a ticket with support and support can in turn query the Case Operations Group for more data on what you have submitted.

I did find a little more information about this specific threat as posted on the web. These appear to fall under Nigerian and 419 scams and their variants.

ATTENTION BENEFICIARY!!

MAILBOX QUOTA FULL

INCREASE YOUR MAILBOX SPACE

Promotion of sum of

Promotion sum

http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/e7303482-66dc-4bc6-9edd-d53d45265505

Christopher C Smith
CSE

Cisco IronPort Customer Support