[AusNOG] Fw: important

Rhys Hanrahan rhys at nexusone.com.au
Thu Oct 1 13:59:50 EST 2015


Hi Chad,

Thanks for this (and thanks everyone for the replies).

Have you found that you needed to drop .zip extensions, or are the Ironports able to detect crypto emails on their own? We can already do attachment blocking with our current stack, but the problem is that all these manual changes is becoming ineffective and too much work. So I'm looking for something that will keep on top of the spam with better/regular signature updates etc...

Another problem is, I know there's lots of variants and the latest ones seem to be macro-enabled PDF files, obviously we can't go blocking PDF attachments.

But frankly, even blocking ZIP files is a little too heavy handed to me, if we can avoid it. I know we'll get people complaining that we've blocked their ZIP files if we do that.

So I'm hoping there's something that manages to keep on top of recent spam emails without too much manual intervention.

Thanks.

Rhys Hanrahan
Chief Information Officer
Nexus One Pty Ltd

E: support at nexusone.com.au
P: +61 2 9191 0606
W: http://www.nexusone.com.au/
M: PO Box 127, Royal Exchange NSW 1225
A: Level 10 307 Pitt St, Sydney NSW 2000



________________________________________
From: Chad Kelly [chad at cpkws.com.au]
Sent: Thursday, 1 October 2015 1:43 PM
To: Rhys Hanrahan; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Fw: important

On 10/1/2015 1:05 PM, Rhys Hanrahan wrote:
> Hi Everyone,
>
> I've actually been thinking about posting about this lately... So I thought I'd put this out there while we're on the topic.
>
> We've been getting hit a lot with the crypto virus emails, and they seem to be difficult to block. It seems over the last few months there's been a steady increase in the amount of stuff getting through. Particularly seems that spammers are leveraging what appears to be legitimate mail-out services to get their spam through.
>
> Has anyone found an appliance or otherwise that we can run on, or alongside, our existing filtering that does well at blocking some of this stuff (particularly the crypto viruses - even server-side AV seems to miss it).
>
> I've heard of Ironport before, and I'll definitely be looking at that, but curious to know if there's anything else out there that can be recommended?
>
> Most of the things I've considered so far seem to be aimed more at a single enterprise / on-site IT (charging per user), instead of being aimed at larger-scale centralised ISP-style filtering.
>
>
>
>

You can set IronPort to just drop anything with a .zip extension, which
solves these issues as the appliance will drop the emails before they
even reach the server.
Ironport can also do inbound filtering as well as outbound.
Given what you guys want to use the system for it may well be worth the
investment in buying your own appliances.
Regards Chad.


--
Chad Kelly
Manager
CPK Web Services
web www.cpkws.com.au
phone 03 9013 4853



More information about the AusNOG mailing list