Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1588
Views
0
Helpful
7
Replies

undetected spam from the inside to outside

pablosoyogui
Level 1
Level 1

‎11-25-2010 04:22 AM

Hi i have a ironport c150 in failover mode, everything is working fine, but the virus infected a PC, this send a lot of spam through the ironport.

i have activated the antispam on the relay list but nothing still sending spam how i cant detected from inside to outside?.

Labels:
Preview file
149 KB
0 Helpful
7 Replies 7

pvdberg00
Level 1
Level 1

‎11-25-2010 04:35 AM

You have to enable Anti Spam on the outgoing policies. There is allways the possibility that the particular mailmessage is not detected as SPAM. If so you have to define an outgoing filter to capture this message.

0 Helpful

pablosoyogui
Level 1
Level 1
In response to pvdberg00

‎11-25-2010 04:40 AM

yes i have enable the Anti Spam on the outgoing policies but still.

take a look this attachement

75933-mensajeSpam.rar.zip
0 Helpful

pvdberg00
Level 1
Level 1
In response to pablosoyogui

‎11-25-2010 04:50 AM

The message is not detected as Spam by Case. You have to create an outgoing filter for the sender to capture the message.

0 Helpful

pablosoyogui
Level 1
Level 1
In response to pvdberg00

‎11-25-2010 06:29 AM

thats is a good idea, but every day apears a new spam for everybody i need to do this dosnt the anti spam by case automacally detected

0 Helpful

pvdberg00
Level 1
Level 1
In response to pablosoyogui

‎11-25-2010 11:24 PM

Maybe you can do something with the sending domain, I expect this is not one of your own domains ?

0 Helpful

Christopher Smith
Level 4
Level 4
In response to pvdberg00

‎11-26-2010 07:11 AM

Keep in mind that the accuracy of anti-spam scanning out bound is not as accurate is scanning inbound. This is because we do not have an IP to validate against.  Though IPAS performs content scanning we still attempt to utilize the source IP address as a component in the signatures, if possible. Since these would originate from an internal address we would be missing some data. This is not to say that scanning outbound will not work, but it is just not as accurate in most cases.

I think you best bet here is to try to capture the message in question , in something such as an archive.  Ideally if this is the result of a system that is compromised you would want to isolate that system. Typically you would not want to allow individual systems direct access to the relaylist sendergroup, but instead only allow the mail server to relay through the appliance.

Christopher C Smith
CSE

Cisco IronPort Customer Support 

0 Helpful

exMSW4319
Level 3
Level 3
In response to pablosoyogui

‎11-26-2010 01:28 PM

I must be missing something here. Doesn't the submitted evidence show the connection came from the original poster's 10.20.2.15?

If that's a single device, why not add it to a new sender group ahead of your RELAYLIST (presuming a standard HAT) but set to BLOCKED, and if the user complains then tell them they've just lost their relay privileges and will have to get their IT desktop support to find the cause before those privileges are restored.

If it's a whole mail system, find the admin team responsible for it and ask them what they're going to do for connectivity if you rate-limit their system. Do point out that rate-limiting does not respect the importance of the message or the sender. Tracking down the virus abusing their system is their problem, and all you can do give them samples to work on.

In either case a mail caused by viral infection is completely unacceptable because it could potentially spead the virus further.

0 Helpful
Customers Also Viewed These Support Documents