Solved: Possible to Check the SPAM Score of a Mail?

Daniel Pelta · ‎09-01-2016

Hi everyone,

We received a couple of suspicious mails lately, one of which contained the zepto Ransomware.

Now we're in the process of figuring out why those mails were not blocked and i was wondering if i can check what SPAM Score those Mails received so we can determine if a reduction of the SPAM thresholds would have prevented those mails from going through.

Thanks for your help

Robert Sherwin · ‎09-01-2016

You can also enable header logging for the IPAS header, and record those seperatly from having to look @the raw message headers...

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118291-technote-esa-00.html

But - TAC would still need to review that header to see the scoring.

-Robert

Cheers,
Robert Sherwin

View solution in original post

Raed Boshmaf · ‎09-01-2016

Hi Daniel,

Emails CASE/IMS "Spam-Engines" are kept unpublished "only visible at the back-end". since showing the scores for emails means that the people that create spam emails can find out how and what email format get's what score "and hence spammers can see what they need to do to trick the system".

So what i would suggest is opening a TAC case for these FN "missed-spam" emails so that they can be reviewed and get a rule publish. Also regrading the email that had zepto Ransomware it should have been detected by your AV engine(s). in case the tracking/mail_logs are showing that the AV engines(s) didn't detect it then opening a TAC case would help with that since this file needs to be escalated to the AV team that you are using on your appliance "Sophos for example" so that they can review the file to see if it is already detected " there is an already published IDE to address it" or if an IDE publish is needed.

Regards

Raed

Daniel Pelta · ‎09-01-2016

Hi Raed,

Thanks for your answer. I will open a case for the "missed-spam" mails then.

And regarding the virus we of course opened cases with both AV teams (Mail Gateway Engine and Exchange Virusscan Engine) and uploaded the malicious attachment since they both missed the virus and marked the attachment as clean

regards

Daniel

Robert Sherwin · ‎09-01-2016

You can also enable header logging for the IPAS header, and record those seperatly from having to look @the raw message headers...

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118291-technote-esa-00.html

But - TAC would still need to review that header to see the scoring.

-Robert

Cheers,
Robert Sherwin

exMSW4319 · ‎09-01-2016

Daniel, I'm speculating as to how your copy of Zepto arrived but I think you are conflating three things; the mechanism by which the hook is delivered, the exploit that assembles the malware inside your recipient's defences and the actual ransomware malware that rips though your recipient's filing systems.

As ESA admins we can only focus on the first element. It's down to those who administer the recipient's network and desktop environments to worry about the second and third stages. My apologies if that's also you.

Now in my experience a lot of the first part is zero-day and sent from variably wide botnets with many individual machines not yet listed on DNSBLs and the like. This means it will sail past your anti-virus component, and efforts to tackle the problem by filtering on SPF or SBRS reputation will only catch a part of each attack. If your attacker is flooding you with several hundred messages in each attack, a number will get through and one of your recipients will be tricked into opening it. It's a numbers game, with the odds rising steadily against you.

https://nakedsecurity.sophos.com/2016/07/05/is-zepto-ransomware-the-new-locky/ says Zepto may appear as a ZIP or DOCM attachment, and if you are in a position where you have to admit encrypted ZIP or ZIP containing executables then you really can't be expected to do much about this or all of the other container-based trash that's been flying around for years. It's down to the desktop support to work out how to secure machines in that scenario.

DOCM likewise is obviously a macro and you might quarantine all with a forwarding notice to the recipient "if you know this sender, contact us...". However, that's an oversimplification and you really want to look at the ideas over in the Block Office Attachments Containing Macros thread as it discusses how to spot a macro hidden in a DOC or even an RTF attachment.

What you do then is a very good question. You can flag each mail with a warning, but there are likely to be too many to quarantine and too many legitimate mails to strip. Your recipient desktop support might consider the radical solution of simply disabling all macros in the applications, but that may not be commercially feasible.