Messaging Gateway

 View Only

  • 1.  Huge spam attack in our mailboxes - all spam bypassing SBG

    Posted Jun 10, 2009 09:32 AM
      |   view attached
    Your message could not be delivered for 3 days, 20 hours, 0 minutes.It will be retried until it is 5 days, 0 hours, 0 minutes oldBookmark:
    Question: Hi,

    Please help I am really stuck here.

    This message is coming in all the mailboxes for last 5 days and is appearing every 4 second ..some have it 800 times since last two days.... please help
    Your message could not be delivered for 3 days, 20 hours, 0 minutes.It will be retried until it is 5 days, 0 hours, 0 minutes old

    Our messaging scenario is as follows:
    Internet > ASA > AntiSpam Symantec Brightmail > Exchange 2003 > UserMailboxes

    we have 1900 Mailboxes


    here is the header info of one of the hundereds of emails coming to our mailboxes


    X-AuditID: 0a000887-b7b3aae000001070-30-4a1d94a10da2
    Received: from host86-137-88-162.range86-137.btcentralplus.com (host86-137-88-162.range86-137.btcentralplus.com [86.137.88.162])
    by psuasb.***.sa (Symantec Mail Security) with SMTP id 6C.B4.04208.1A49D1A4; Wed, 27 May 2009 22:29:38 +0300 (AST)
    Message-ID: <063060257433524.PJAIQRQLYBHZKLJ@host86-137-88-162.range86-137.btcentralplus.com>
    From: "*******" <faculty@*****.edu.sa>
    To: faculty@pscw.psu.edu.sa
    Subject: Browse this
    MIME-Version: 1.0
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
    X-Bmi-Source: external
    X-Brightmail-Tracker: AAAAAw6yNdsPC5ACDxYi7Q==



    X-AuditID: 0a000887-b7b3aae000001070-5f-4a2a710f9280
    Received: from rb5bb219.net.upc.cz (rb5bb219.net.upc.cz [89.176.181.219])
    by psuasb.psu.edu.sa (Symantec Mail Security) with SMTP id B8.FB.04208.0117A2A4; Sat, 6 Jun 2009 16:37:20 +0300 (AST)
    Message-ID: <206339263998632.OGBLAJZCNVPBRAO@rb5bb219.net.upc.cz>
    From: "Roscoe" <generalcoursesfaculty@pscw.psu.edu.sa>
    To: generalcoursesfaculty@pscw.psu.edu.sa
    Subject: List of conditions
    MIME-Version: 1.0
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
    X-Bmi-Source: external
    X-Brightmail-Tracker: AAAAAg82j/APRbBr






    X-AuditID: 0a000887-b7b3aae000001070-5f-4a2a710f9280
    Received: from rb5bb219.net.upc.cz (rb5bb219.net.upc.cz [89.176.181.219])
    by psuasb.psu.edu.sa (Symantec Mail Security) with SMTP id B8.FB.04208.0117A2A4; Sat, 6 Jun 2009 16:37:20 +0300 (AST)
    Message-ID: <206339263998632.OGBLAJZCNVPBRAO@rb5bb219.net.upc.cz>
    From: "Roscoe" <generalcoursesfaculty@pscw.psu.edu.sa>
    To: generalcoursesfaculty@pscw.psu.edu.sa
    Subject: List of conditions
    MIME-Version: 1.0
    Content-Type: text/html; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
    X-Bmi-Source: external
    X-Brightmail-Tracker: AAAAAg82j/APRbBr


    X-AuditID: 0a000887-b7b3aae000001070-ff-4a2e779de9fb
    Received: from 174-173-247-190.fibertel.com.ar (174-173-247-190.fibertel.com.ar [190.247.173.174])
    by psuasb.psu.edu.sa (Symantec Mail Security) with SMTP id 40.27.04208.F977E2A4; Tue, 9 Jun 2009 17:54:27 +0300 (AST)
    Message-ID: <PFNAPKHADXEIM.XULATCEWBTEBRQN22016150217@174-173-247-190.fibertel.com.ar>
    From: "Bryant" <generalcoursesfaculty@pscw.psu.edu.sa>
    To: generalcoursesfaculty@pscw.psu.edu.sa
    Subject: Use this number
    MIME-Version: 1.0
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: 7bit
    X-Bmi-Source: external
    X-Brightmail-Tracker: AAAABAVlrTYOsjXbD11ASw9dfXY=





  • 2.  RE: Huge spam attack in our mailboxes - all spam bypassing SBG

    Posted Jun 16, 2009 02:06 PM
    Hi,

    First thing I would say is that if you are having any major issues with the product contact Technical Support who can assist you.

    Looking at the screenshot from the Control Centre, there appears to be just 1264 messages in 24 hours which did not receive any verdict. This would seem to be a reasonable amount of clean email for 1900 mailboxes, although of course this depends on your local email patterns.

    Ensure that the action for spam verdict is set to delete and that messages sent from IPs with a bad reputation are rejected. For maximum effectiveness and performance, ensure that you are on the latest version of the product (currently SBG 8.0.1-7) with the Standard DNS Reputation enabled.

    This was a very large attack and the vast majority of it should be blocked. Any messages which were missed can also be submitted to Symantec for filter creation following the procedure in this article: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2005012415180263

    Amanda


  • 3.  RE: Huge spam attack in our mailboxes - all spam bypassing SBG

    Posted Jun 16, 2009 02:21 PM

    One last thing I would add is that it appears as if your domain was spoofed as the Sender address in this attack, this has come up in the past, and what you might want to try is to publish an SPF or Sender ID record for your domain and then enable Sender Authentication on your domain. 

    Another thing you could try is adding your own domain to the Local Bad Sender Domains based list.   You could really only do this if you were positive that any mails hitting the Inbound IP of your Brightmail Gateway Scanners from recipients at your local domains were spoofed messages.

    Cheers,

    Kevin