Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1445
Views
0
Helpful
2
Replies

SPAM or Directory Harvest Attack

robjgodfrey
Level 1
Level 1

‎04-04-2013 08:07 PM

The last 3 days we have experinced some problems with email.  I found that on Tuesday our IronPort C360 sent out about 600K emails.  This was reported as a DHA.  Today I have been trying to figure out how to stop the emails from going out.  I'm not really sure where to start since this is new to me, but the emails are being sent from subdomains of the ".ru" domain:

Examples:

laprovence@systema.ru

lancu@tfk.ru

I'm sure there are other variations of the domain, and I have even seen others.  This has been going on for about 3 days now, and users are now seeing emails not going out.  We just got blacklisted today.  I sent 3 emails to my personal accounts and only recieved 1 of them about 1 hour later.

Any suggestions would be great.

Thanks,

Robert

Labels:
0 Helpful
2 Replies 2

robjgodfrey
Level 1
Level 1

‎04-05-2013 08:14 PM

So, I was able to figure out how to expedite the process.  The total messages to be processed was around 600k.  In order to allow this to go quicker adnto get it over with, I changed the settings for the bounce profile to the lowest settings possible.  This essentially stopped retrying any failed send requests and immediately sent notifications to users with failed requests.  This allowed the process to complete in about 2 hours.  After the DHA was complete I was able to set the bounce profile to it's defaults and it was business as usual.

Still I have an issue with being blacklisted, but we are on only 1 blacklist so it is not critical.  Since this is our first blacklist the wait time is about 48 hours.  The down side is that the host SORBS-SPAM is not very responsive so I am guessing I will have to wait the whole time.  Also, you can optionally release the blacklist yourself, but it has to come from the same IP address that was blacklisted, and this is not possible from the IronPort.

0 Helpful

Stephan Bayer
Cisco Employee
Cisco Employee
In response to robjgodfrey

‎04-09-2013 05:30 AM

Robert,

You could also rate limit your tophosts, or highest volume senders.

Article #545: Can I rate limit and enforce a maximum message size by sender domain? Link: http://tools.cisco.com/squish/e2f17

Hope this helps,

Stephan

0 Helpful
Customers Also Viewed These Support Documents