System Administrator
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
System Administrator - 20.Oct.2009 7:48:54 AM
|
|
|
bigsoup
Posts: 22
Status: offline
|
Within the past week we have been getting hammered with spam coming from the spoofed address "system-administrator@our domain". The body of the message contains the following with a link for the user to click on to download a patch (trojan):
"On October 20, 2009 a server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure."
To employees this looks like a legitimate e-mail from IT. If they do click on the provided link the page is blocked by WebMonitor. No matter what I do I cannot seem to stop these from coming through. Any ideas?
|
|
|
|
|
RE: System Administrator - 20.Oct.2009 7:52:20 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi,
can you check this knowledgebase article which shows how to block spam which seems to be coming from your domain: http://kbase.gfi.com/showarticle.asp?id=KBID001910
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: System Administrator - 20.Oct.2009 8:59:37 AM
|
|
|
bigsoup
Posts: 22
Status: offline
|
Thanks, I had reviewed that knowledgebase article a while back when we initially had problems with spam that appeared to be coming from our domain. I made all the necessary changes and all was well. Now after some time, these messages started appearing. We started receiving these after upgrading to 14.1. I have had other issues with 14.1 so I'm wondering if this is a problem as well.
|
|
|
|
|
RE: System Administrator - 20.Oct.2009 9:05:41 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Can you confirm that the perimeter servers are configured correctly? Could these have been re-configured during the upgrade?
Check also the patches documented at http://forums.gfi.com/Patch_Information_-_GFI_MailEssentials_14%251_build_20090826/m_900781227/tm.htm. The SpamRazer updates problem will cause the SpamRazer engine to lose some of its efficiency.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: System Administrator - 20.Oct.2009 10:44:22 AM
|
|
|
RSP
Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
|
Make sure the server is still querying the same DNS where your SPF record is located.
_____________________________
Disclaimer: I don't work for GFI, I just use their products.
|
|
|
|
|
RE: System Administrator - 20.Oct.2009 11:22:36 AM
|
|
|
gcs
Posts: 3
Joined: 11.Jun.2009
Status: offline
|
I am seeing these emails as well running 14.0 20090408. SPF seems to be doing it's job for the most part as the SPF logs for today contain several thousand entries. But messages like this are still getting through:
From: robot@MYDOMAIN.com [mailto:robot@MYDOMAIN.com]
Sent: Monday, October 19, 2009 1:50 PM
To: Service
Subject: A new settings file for the aa@MYDOMAIN.com
Dear user of the MYDOMAIN.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (aa@MYDOMAIN.com) settings were changed. In order to apply the new set of settings click on the following link:
LINK REMOVED
Best regards, MYDOMAIN.com Technical Support.
I have temporarily resolved the issue through content filtering in MailSecurity.
|
|
|
|
|
RE: System Administrator - 20.Oct.2009 12:22:44 PM
|
|
|
bigsoup
Posts: 22
Status: offline
|
Perimeter server is correct, MailEssentials is patched and DNS is correct. They just seem to get through somehow. I'm going to use keyword checking to try and keep them from getting through.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
