cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
0
Helpful
2
Replies
Highlighted
Beginner

SPAM or Directory Harvest Attack

The last 3 days we have experinced some problems with email.  I found that on Tuesday our IronPort C360 sent out about 600K emails.  This was reported as a DHA.  Today I have been trying to figure out how to stop the emails from going out.  I'm not really sure where to start since this is new to me, but the emails are being sent from subdomains of the ".ru" domain:

Examples:

laprovence@systema.ru

lancu@tfk.ru

I'm sure there are other variations of the domain, and I have even seen others.  This has been going on for about 3 days now, and users are now seeing emails not going out.  We just got blacklisted today.  I sent 3 emails to my personal accounts and only recieved 1 of them about 1 hour later.

Any suggestions would be great.

Thanks,

Robert

2 REPLIES 2
Highlighted
Beginner

So, I was able to figure out how to expedite the process.  The total messages to be processed was around 600k.  In order to allow this to go quicker adnto get it over with, I changed the settings for the bounce profile to the lowest settings possible.  This essentially stopped retrying any failed send requests and immediately sent notifications to users with failed requests.  This allowed the process to complete in about 2 hours.  After the DHA was complete I was able to set the bounce profile to it's defaults and it was business as usual.

Still I have an issue with being blacklisted, but we are on only 1 blacklist so it is not critical.  Since this is our first blacklist the wait time is about 48 hours.  The down side is that the host SORBS-SPAM is not very responsive so I am guessing I will have to wait the whole time.  Also, you can optionally release the blacklist yourself, but it has to come from the same IP address that was blacklisted, and this is not possible from the IronPort.

Highlighted

Robert,

You could also rate limit your tophosts, or highest volume senders.

Article #545: Can I rate limit and enforce a maximum message size by sender domain? Link: http://tools.cisco.com/squish/e2f17

Hope this helps,

Stephan

Content for Community-Ad