Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1451
Views
10
Helpful
3
Replies

Undetected spam becoming unbearable

Michael Bale
Level 1
Level 1

‎11-09-2017 03:06 AM - edited ‎03-08-2019 07:27 PM

This is an on-going problem with the ESA IronPort units over the last few years since it has been acquired.  It used to work great, now we have ongoing periods where it is almost like the device isn't even on.


Image spam, viagra spam, get rich spam, drug and alcohol rehab, and weight loss message come in fast and furious.  I have had multiple teams at Cisco do an analysis on our devices and say it is as suggested.  Yet we constantly get these periods where for 2-4 days we get flooded with spam.  It goes away, and a month later all happens again.

 

The amount of funding, lending, and fake invoice emails is dizzying.

 

On a regular basis, we get far more spam than we used to under the IronPort brand, it has been getting so bad I am seriously considering other solutions.

 

 

 

Labels:
0 Helpful
3 Replies 3

Robert Sherwin
Cisco Employee
Cisco Employee

‎11-09-2017 04:49 AM

Sorry to hear you are having issues.  What version of AsyncOS is running on your appliance(s)?  Do you have a past case (SR) that was opened with Cisco TAC that I can review for you, get a little further background on?  Have you submitted samples into our Corpus (spam@access.ironport.com)? 

 

Also see - ESA FAQ: How to submit email messages to Cisco

 

Are you running multiple inbound mail policies?  Do you have IPAS, Cloudmark, or Multiscan enabled for antispam?  Running default rules, or adjusted to try and combat incoming spam?

 

Feel free to message me direct with SR info.

 

Cheers,
Robert Sherwin
0 Helpful

landertcsi
Level 1
Level 1

‎11-09-2017 05:46 AM

This sudden surge of spam waves is annoying, sometimes we have only about 10k mails/24 hours, sometimes it's increasing to 150k/24 hours with no obvious reason.

 

I would recommend using Geolocation blocking (new in v11). You could block many countries if you're not doing business there (we blocked most countries from Eastern Europe, Middle East, South/Middle America and Africa.

 

Plus we have a dictionary of SPAM words (about 600 entries), which catches obvious spam.

 

Ken Stieers
VIP
VIP
In response to landertcsi

‎11-09-2017 06:00 AM

I also use the included "language" and "sexual content" dictionaries in a content filter... that cut the viagra spam out. Dkim/spf/dmarc has trimmed down some.

And yes our IPS is blocking connections from most of the countries in the world because we don't do business with them...
Customers Also Viewed These Support Documents