cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1158
Views
0
Helpful
2
Replies
robjgodfrey
Beginner

SPAM or Directory Harvest Attack

The last 3 days we have experinced some problems with email.  I found that on Tuesday our IronPort C360 sent out about 600K emails.  This was reported as a DHA.  Today I have been trying to figure out how to stop the emails from going out.  I'm not really sure where to start since this is new to me, but the emails are being sent from subdomains of the ".ru" domain:

Examples:

laprovence@systema.ru

lancu@tfk.ru

I'm sure there are other variations of the domain, and I have even seen others.  This has been going on for about 3 days now, and users are now seeing emails not going out.  We just got blacklisted today.  I sent 3 emails to my personal accounts and only recieved 1 of them about 1 hour later.

Any suggestions would be great.

Thanks,

Robert

2 REPLIES 2
robjgodfrey
Beginner

So, I was able to figure out how to expedite the process.  The total messages to be processed was around 600k.  In order to allow this to go quicker adnto get it over with, I changed the settings for the bounce profile to the lowest settings possible.  This essentially stopped retrying any failed send requests and immediately sent notifications to users with failed requests.  This allowed the process to complete in about 2 hours.  After the DHA was complete I was able to set the bounce profile to it's defaults and it was business as usual.

Still I have an issue with being blacklisted, but we are on only 1 blacklist so it is not critical.  Since this is our first blacklist the wait time is about 48 hours.  The down side is that the host SORBS-SPAM is not very responsive so I am guessing I will have to wait the whole time.  Also, you can optionally release the blacklist yourself, but it has to come from the same IP address that was blacklisted, and this is not possible from the IronPort.

Robert,

You could also rate limit your tophosts, or highest volume senders.

Article #545: Can I rate limit and enforce a maximum message size by sender domain? Link: http://tools.cisco.com/squish/e2f17

Hope this helps,

Stephan

Create
Recognize Your Peers
Content for Community-Ad