Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2591
Views
0
Helpful
2
Replies

New spam trend?

Go to solution
amelo@
Level 1
Level 1

‎03-20-2018 07:08 AM - edited ‎03-08-2019 07:35 PM

Users reported receiving more spam messages than usual. From these spam messages processing details we noticed that the emails size is big enough to exceed the Anti-Spam scanning engines hence skipping them and delivering to the recipients. The emails have tons of embedded images and no attachments. 

 

Message 994119 size 2588002 exceeds max size 819200 for Anti-Spam scanning by Outbreak Filters
Message 994119 size 2588002 exceeds max size 1048576 for Anti-Spam scanning by CASE

 

Is this a new trend to bypass Anti-spam filters?

What corrective measure could we take without having to increase the threshold size? (we do not want to put more load in the ESAs scanning big files)

 

Thanks,

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎03-20-2018 07:50 AM - edited ‎03-20-2018 07:53 AM

You can review the emails and message tracking to confirm if there is a common trend to create a content/message filter. Or a similarity in sender IP/hostname to add to the HAT Blacklist.

 

That would be the only method without increasing the actual anti spam scan sizes. 

 

You may also want to submit these to spam@access.ironport.com to improve rules globally.

 

Regards 

Libin Varghese 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎03-20-2018 07:50 AM - edited ‎03-20-2018 07:53 AM

You can review the emails and message tracking to confirm if there is a common trend to create a content/message filter. Or a similarity in sender IP/hostname to add to the HAT Blacklist.

 

That would be the only method without increasing the actual anti spam scan sizes. 

 

You may also want to submit these to spam@access.ironport.com to improve rules globally.

 

Regards 

Libin Varghese 

0 Helpful

Go to solution
exMSW4319
Level 3
Level 3

‎03-21-2018 09:11 AM

Libin's come up with some valid ideas, but there's no perfect solution if you have to gate your AV or AS on message size (and not gating AV on size will give you time-outs anyway). Anyone who seriously wants a go at you will try padding a message, possibly with innocuous content, in order to bump over the threshold.

 

The only way you might tackle that, if you have the latitude with your recipient community, would be to review attachments and only let anything over the threshold in if it's of a reasonably safe type. That might extend to disabling or otherwise hobbling Office macros at the recipient desktop.

 

As always, if you do have any direct or indirect responsibility for your recipient systems do consider your layers. That which the ESAs miss, your web proxy or AV endpoint may pick up. 

0 Helpful
Customers Also Viewed These Support Documents