same spam format from different ips

moustafabaghdadi1 · ‎10-28-2015

Hello there,

i have a case where client on hosted enviremont are receiving spam emails has same subject field sort of (subject: Transfer fdlglkjdjf3478 and another says Subject: Transfer 9uert7845), when i trace them down they are always coming from new source (different ip addresses on contineous basis), how can i get this spams blocked for every client. (we have cisco ironport mail security)

i have attached an excel doco for my tracing history for those emails

Regards

moustafabaghdadi1 · ‎10-29-2015

anyone has any idea on how to achieve this blockage?

Mathew Huynh · ‎11-02-2015

Hey Moustafa,

Looking at the spreadsheet, it seems like this may be a symptom of snoeshow spamming behaviour.

may i ask what version of AsyncOS is on your ESA?

Additionally, while we cannot block them by sender address or IP (as it's constantly changing) and blocking it by Subject may be a bit more difficult as you may cause false positives.

Is there anything else common about all these emails? Such as particular attachments?

If so perhaps a filter that will quarantine/drop emails where subject begins with Transfer and contains a particular attachment ?

Else i would suggest to submit these samples to spam@access.ironport.com for the automated categorization to review and generate rules if available.

Regards,

Matthew

moustafabaghdadi1 · ‎11-03-2015

Hello Mathew,

Thanks for the valuable info here, i have submitted the samples to the spam team and will see what they can come up with. unfortunately nothing incommon can be detected not even the subject as it's now being changed on different occasions and some have attachements and some dont. ironport is up to date with its virus protection and spam signatures.

moustafabaghdadi1 · ‎11-04-2015

Hello Matthew:

as for the version of the AsyncOS is 8.1.0-476 on M660 content security management appliances and 8.0.0-671 on C160 with Case Utilities version 3.5.0-008 and Case Core Files version 3.5.0-008, if this will help, i have read some posts on here in regards to the appliance itself C160, they were saying that there wont be any upcoming updates for this appliance to address the snowshoe issue, is that correct?

moustafabaghdadi1 · ‎11-05-2015

Hello Matthew,

i have submitted the samples to spam@access.ironport.com, i got no reply so far and not sure if any solution can be produced, the issue is the amount of those spam are on an increase and affecting more domains on the filter (C160,C300V), again the spams on a contineuous changing (sender,domain,ip,subject and even the body content), clients are complaining as i said about the amount increasing on a daily basis, what could be done to stop this issue as its getting out of control at this stage, so far i had to put a content filter with some keywords i noticed in most of them spams's subject, but this is temporary as it could cause further issue like false positives, can you please advise?

Mathew Huynh · ‎11-05-2015

Hello,

Spam@access.ironport.com is an automated system, if you are seeking for responses then you would need a TAC case opened for review.

C160 is limited on some spam engine availbility so it would be beneficial to move to a hardware which supports the latest AsyncOS

Additionally, I would suggest to upgrade your C300V to atleast 8.5.7 for additional features that can be utilized and scanning engine to be adapted to additional rules.

Furthermore, please check if your device's you're seeing proper SBRS matching occurring as well.

Regards,

Matthew