Showing results for 
Search instead for 
Did you mean: 
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.2.0-616
Cloud Gateway Email Status Portal Support & Downloads
Email and Web Manager: 14.2.0-203
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in:
Encryption Bug Search
Encryption Plug-in:
Cloud Mailbox Notification Service
Outlook Add-in(s): More info


SPAM or Directory Harvest Attack

The last 3 days we have experinced some problems with email.  I found that on Tuesday our IronPort C360 sent out about 600K emails.  This was reported as a DHA.  Today I have been trying to figure out how to stop the emails from going out.  I'm not really sure where to start since this is new to me, but the emails are being sent from subdomains of the ".ru" domain:


I'm sure there are other variations of the domain, and I have even seen others.  This has been going on for about 3 days now, and users are now seeing emails not going out.  We just got blacklisted today.  I sent 3 emails to my personal accounts and only recieved 1 of them about 1 hour later.

Any suggestions would be great.




So, I was able to figure out how to expedite the process.  The total messages to be processed was around 600k.  In order to allow this to go quicker adnto get it over with, I changed the settings for the bounce profile to the lowest settings possible.  This essentially stopped retrying any failed send requests and immediately sent notifications to users with failed requests.  This allowed the process to complete in about 2 hours.  After the DHA was complete I was able to set the bounce profile to it's defaults and it was business as usual.

Still I have an issue with being blacklisted, but we are on only 1 blacklist so it is not critical.  Since this is our first blacklist the wait time is about 48 hours.  The down side is that the host SORBS-SPAM is not very responsive so I am guessing I will have to wait the whole time.  Also, you can optionally release the blacklist yourself, but it has to come from the same IP address that was blacklisted, and this is not possible from the IronPort.


You could also rate limit your tophosts, or highest volume senders.

Article #545: Can I rate limit and enforce a maximum message size by sender domain? Link:

Hope this helps,


Recognize Your Peers
Content for Community-Ad