Showing results for 
Search instead for 
Did you mean: 

undetected spam from the inside to outside

Hi i have a ironport c150 in failover mode, everything is working fine, but the virus infected a PC, this send a lot of spam through the ironport.

i have activated the antispam on the relay list but nothing still sending spam how i cant detected from inside to outside?.


You have to enable Anti Spam on the outgoing policies. There is allways the possibility that the particular mailmessage is not detected as SPAM. If so you have to define an outgoing filter to capture this message.


yes i have enable the Anti Spam on the outgoing policies but still.

take a look this attachement


The message is not detected as Spam by Case. You have to create an outgoing filter for the sender to capture the message.


thats is a good idea, but every day apears a new spam for everybody i need to do this dosnt the anti spam by case automacally detected


Maybe you can do something with the sending domain, I expect this is not one of your own domains ?


Keep in mind that the accuracy of anti-spam scanning out bound is not as accurate is scanning inbound. This is because we do not have an IP to validate against.  Though IPAS performs content scanning we still attempt to utilize the source IP address as a component in the signatures, if possible. Since these would originate from an internal address we would be missing some data. This is not to say that scanning outbound will not work, but it is just not as accurate in most cases.

I think you best bet here is to try to capture the message in question , in something such as an archive.  Ideally if this is the result of a system that is compromised you would want to isolate that system. Typically you would not want to allow individual systems direct access to the relaylist sendergroup, but instead only allow the mail server to relay through the appliance.

Christopher C Smith

Cisco IronPort Customer Support 


I must be missing something here. Doesn't the submitted evidence show the connection came from the original poster's

If that's a single device, why not add it to a new sender group ahead of your RELAYLIST (presuming a standard HAT) but set to BLOCKED, and if the user complains then tell them they've just lost their relay privileges and will have to get their IT desktop support to find the cause before those privileges are restored.

If it's a whole mail system, find the admin team responsible for it and ask them what they're going to do for connectivity if you rate-limit their system. Do point out that rate-limiting does not respect the importance of the message or the sender. Tracking down the virus abusing their system is their problem, and all you can do give them samples to work on.

In either case a mail caused by viral infection is completely unacceptable because it could potentially spead the virus further.