Unable to detect Spam Attack with Cisco ESA

saad.reddad · ‎05-05-2017

Hi,

I try to test the abality of Cisco ESA to detect SPAM using SETOOLKIT in Kali Linux, but ESA doesn't block this Attack, And when I see the logs I Find

Fri May 5 18:45:54 2017 Info: ICID 249 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS rfc1918

in the mail logs, And I'm also unable to download update with this error each time :

Fri May 5 18:44:34 2017 Info: case released download lock
Fri May 5 18:44:34 2017 Info: case failed to download "case/2.0/case_rules/default/1493989219103392": attempt 0
Fri May 5 18:44:34 2017 Info: case waiting on download lock
Fri May 5 18:44:34 2017 Info: case acquired download lock

Can you help me with this,

Best regards

Libin Varghese · ‎05-05-2017

Hi,

If you are testing the anti-spam engine you should look at the anti-spam verdict in the message tracking.

The senderbase score showing rfc1918, would suggest that the sender IP is a private IP address which would not have a reputation score on senderbase.

As for the case download failure, it could be a temporary network interruption or firewall not allowing the download from the Cisco update servers.

You can use the below telnet commands to confirm connectivity

telnet update-manifests.ironport.com 443

telnet downloads.ironport.com 80

telnet updates.ironport.com 80

If the connection is successful then we would need to set up a packet capture to review further.

Thank You!

Libin Varghese

saad.reddad · ‎05-07-2017

Thank you a lot for your response,

Now I'm able to update the Anti-Spam database, However I still have the same issue to update Sophos and grayMail,

Sun May 7 04:52:07 2017 Info: sophos started downloading files
Sun May 7 04:52:07 2017 Info: sophos waiting on download lock
Sun May 7 04:52:07 2017 Info: sophos acquired download lock
Sun May 7 04:52:07 2017 Info: sophos beginning download of remote file "http://updates.ironport.com/sophos/4.4/ide/default_esa/1494124686"
Sun May 7 04:52:18 2017 Info: sophos released download lock
Sun May 7 04:52:18 2017 Info: sophos successfully downloaded file "sophos/4.4/ide/default_esa/1494124686"
Sun May 7 04:52:18 2017 Info: sophos waiting on download lock
Sun May 7 04:52:18 2017 Info: sophos acquired download lock
Sun May 7 04:52:18 2017 Info: sophos beginning download of remote file "http://updates.ironport.com/sophos/libsavi/1493737312"
Sun May 7 05:05:43 2017 Info: sophos beginning download of remote file "http://updates.ironport.com/sophos/libsavi/1493737312"
Sun May 7 05:16:13 2017 Info: sophos released download lock
Sun May 7 05:16:13 2017 Info: sophos failed to download "sophos/libsavi/1493737312": attempt 0
Sun May 7 05:16:13 2017 Info: sophos waiting on download lock
Sun May 7 05:16:13 2017 Info: sophos acquired download lock
Sun May 7 05:16:13 2017 Info: sophos beginning download of remote file "http://updates.ironport.com/sophos/libsavi/1493737312"
Sun May 7 05:26:14 2017 Info: sophos beginning download of remote file "http://updates.ironport.com/sophos/libsavi/1493737312"
Sun May 7 09:20:50 2017 Info: sophos released download lock
Sun May 7 09:20:50 2017 Info: sophos failed to download "sophos/libsavi/1493737312": attempt 1

I would to know if possible to download the update manually and apply them in CLI mode,

For telnet commands, I don't have any problem with the Firewall

esa.seg.lab> telnet update-manifests.ironport.com 443

Trying 208.90.58.5...
Connected to update-manifests.ironport.com.
Escape character is '^]'.

esa.seg.lab> telnet downloads.ironport.com 80

Trying 81.192.28.139...
Connected to 81.192.28.139.
Escape character is '^]'.

Libin Varghese · ‎05-08-2017

The telnet commands confirm there is connectivity to the update servers, however there can still be network interruption intermittently when the device attempts to download the updates.

I would recommend setting up a packet capture to confirm the same.

The updates cannot be downloaded separately at the moment and would need to be completed using the automatic updates.

- Libin V