Jump to content


Photo

Explosion of spam and malicious emails in last several days


  • Please log in to reply
24 replies to this topic

#1 Joe Louis

Joe Louis
  • Members
  • 1 posts

Posted 26 June 2019 - 11:57 AM

We've noticed a huge increase in the volume CVS, coffee, furniture, dealership, etc in the last week. They are coming in waves and from the same source IP in that particular wave. It's way too much to keep banning IPs. Did something in 'Cuda's analysis change? I am current on definitions. 



#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 374 posts

Posted 26 June 2019 - 12:52 PM

Joe,

Nothing has changed on the service or how it works but spammers are constantly working to find ways to build new spam.

You will need to call into Barracuda Support and work with a support tech to find and report the new spam you are seeing

They can then submit that to our spam accuracy team who can start working on way to block this new spam attack.

Thank you,


 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#3 Peter Savin

Peter Savin
  • Members
  • 4 posts

Posted 26 June 2019 - 05:00 PM

Just jumping in with a "Me too".  Same symptoms, same culprits (CVS, coffee, etc).  We've gone from 1-2 spams getting through to any given user per day, and now 10-20x as many.  I'll update here after working with support.



#4 Michael Manning

Michael Manning
  • Members
  • 224 posts
  • LocationOhio, USA

Posted 27 June 2019 - 01:52 PM

You may want to tweak the spam detection settings. 

 

Under the Basic tab click Spam Checking. Under the Spam Scoring Limits section, you can adjust the numeric score for each action - Block, Quarantine or Tag. The default for Quarantine is 'Disable' but I have mine set to a value of 4 and that seems to catch a large amount of actual spam with minimal false positives, at least for my organization. 



#5 Peter Savin

Peter Savin
  • Members
  • 4 posts

Posted 27 June 2019 - 02:15 PM

The messages in question are coming in with very low SPAM scores, Barracuda just isn't catching them.  Most are scored between 0 and 1.5, despite being blatantly spammy. 

 

I opened a ticket yesterday but haven't heard back yet.



#6 Michael Manning

Michael Manning
  • Members
  • 224 posts
  • LocationOhio, USA

Posted 27 June 2019 - 03:29 PM

The messages in question are coming in with very low SPAM scores, Barracuda just isn't catching them.  Most are scored between 0 and 1.5, despite being blatantly spammy. 

 

I opened a ticket yesterday but haven't heard back yet.

Wow! No kidding? There was an explosion of spam getting though late 2018 and tweaking the scoring was what helped. Fortunately we haven't seen what you're describing yet. 



#7 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 374 posts

Posted 28 June 2019 - 02:27 PM

The spam that is being reported 

CVS, coffee, furniture, dealership, etc

If from a spammer/hacker that is finding open networks and is hacking their web services and mail server to send out spam that looks ot be 100% legitimate.

It has the correct URL's, DKIM statements, and so on in the headers.

This makes it look like legitimate mail. When the spam is discovered the ONLY way to block it is with a domain block on the hacked domain.

We do this a quickly as possible (usually within 20 minutes of the first mail going out) but someone has to get the first attacks.

So if you are seeing this new advertising spam then you are at the top of the spammers list of domains

If you don't see it or you see it being blocked you are one of the lucky ones that is further down the spammers list.

We are however trying to find better ways to identify this spammer.

Sincerely,


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#8 Peter Savin

Peter Savin
  • Members
  • 4 posts

Posted 01 July 2019 - 12:00 PM

Thanks for the update Michelle.  I did speak with support on Friday.  After cutting off the lecture about "spammers are always finding ways to get around filters" I was basically told the above, and the technician said that all we can do is submit the messages to Barracuda Central and hope for the best.  We did notice some of the junk starting to get blocked (CVS), but I still have a lot getting through.

 

At least I'll have a cool summer with all this low cost ductless heating! :)



#9 Peter Savin

Peter Savin
  • Members
  • 4 posts

Posted 01 July 2019 - 12:28 PM

Digging through some stuff today, it's apparent that (at least the current wave) are all coming from the same class C network belonging to Limestone Networks, a cloud hosting provider. That makes it easy to block.  (also explains their success at DKIM signing and such).  I've blocked this entire network, should help: 74.63.216.0/24.



#10 David Franklin

David Franklin
  • Members
  • 9 posts

Posted 03 July 2019 - 10:39 AM

I've rebuilt my bayes database, and now now I have started blocking entire subnets, and I am considering blocking entire hosting companies but I am having to take too much time out of my day watching for and manually blocking ip's.  Barracuda needs to find a way to be more proactive blocking these guys. The "waiting until someone has to get the first attacks" means this spam is reaching my end user's mailboxes. Some of those users are executives. Some of those executives are asking if there are other products/solutions that can do a better job blocking spam. "Spammers are constantly working to to find ways to build new spam" will not placate executives. 



#11 David Franklin

David Franklin
  • Members
  • 9 posts

Posted 03 July 2019 - 11:52 AM

Similar thread: https://community.ba...-thru-recently/



#12 Kurt

Kurt
  • Members
  • 12 posts

Posted 03 July 2019 - 01:51 PM

So we are experiencing the same problems.  I just got off phone with support.  Apparently these are considered bulk emails and can easily be stopped/blocked if you enable cloud protection layer.  You need the advanced threat protection subscription.  I asked support why customers don't have this ability on the physical appliance and he agreed it should be an option/feature.  Notice how the firmware of the Barracuda Spam Gateway appliances haven't been updated since November 2018.... No beta releases even.  I think it's super annoying that they are forcing people to use the barracuda cloud for features that are really needed. 

 

https://campus.barra...otection-layer/

 

The support rep said this will definitely block the spam bulk emails.  I'm looking to enable this cloud protection layer this summer at some point. 



#13 David Franklin

David Franklin
  • Members
  • 9 posts

Posted 03 July 2019 - 03:15 PM

I would like a moderator to define "Bulk" compared to "Spam", outline the technology used by the CPL to classify email as "Bulk" then block it, and detail why the appliance is not capable of blocking the same.



#14 David Franklin

David Franklin
  • Members
  • 9 posts

Posted 12 July 2019 - 09:31 AM

@Michelle - please help by defining "Bulk" vs "Spam", outline the tech used by the CPL to  classify email as "Bulk" then block it, and detail why the appliance is not capable of blocking the same. Thank-you!



#15 David Bourdeau

David Bourdeau
  • Members
  • 2 posts

Posted 12 July 2019 - 03:41 PM

@David Franklin,

 

Are you currently using CPL and still facing a large influx of spam.  We were considering using CPL since we already own it.

 

Thanks!



#16 David Bourdeau

David Bourdeau
  • Members
  • 2 posts

Posted 12 July 2019 - 03:45 PM

Are you currently using CPL and still facing the large influx of spam?  We were considering implementing CPL since we already own it and have not yet implemented it to deal with the same thing.

 

Thanks,

 

David Bourdeau



#17 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 374 posts

Posted 12 July 2019 - 05:14 PM

Bulk Email

messages that contain anything that looks like unsubscribe links or unsubscribe instructions in the message body. These messages may or may not be considered as spam by the recipient.

Spam Email
messages that hit any of thousands of rules that we have or that the customer adds that classify the mail as spam

We are not adding bulk detection to the BESG because it increases the amount of filtering the unit has to do and can result in systems that are pushing their limits to fail.

Barracuda Email Gateway customers who are looking to improve filtering can either 

1. Add their own content filters to stop mail with the content they don't like

2. Turn on and correctly use the Bayesian Database service 
    https://www.barracud...501600000013OG8

3. Sign-up to use the CPL pre-filtering servive

4. Move from the Barracuda Email Security Gateway to the hosted Barracuda Email Security Service 

Sincerely,

Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#18 Kurt

Kurt
  • Members
  • 12 posts

Posted 15 July 2019 - 11:56 AM

Exactly what I thought... See my post from a few days ago.

 

https://community.ba...-barracuda-esg/

 

Really sad that the hardware appliances aren't powerful enough to provide this kind of filtering to be honest.  I will implement the CPL sometime this month and let you guys know how it goes.



#19 David Franklin

David Franklin
  • Members
  • 9 posts

Posted 15 July 2019 - 12:47 PM

@David Bourdeau,

We are not currently using CPL. We are considering using it, but the requirement to subscribe to APT to enable this feature would more than double our yearly spend on Barracuda spam protection. We are not sure we want to do that.

 

Quote from sales rep:

 

"I believe adding ATP will help combat this. Not sure if it will solve it entirely."

 

@David Franklin,

 

Are you currently using CPL and still facing a large influx of spam.  We were considering using CPL since we already own it.

 

Thanks!



#20 Michael Manning

Michael Manning
  • Members
  • 224 posts
  • LocationOhio, USA

Posted 16 July 2019 - 09:07 AM

Michelle recommended turning on global Bayesian filtering. If you are willing to actually take the time to properly manage it, it does make quite a difference. After the flood of spam from this past winter I cranked down the scoring for quarantine and refreshed our Bayesian and doing both of these things seems to have made a huge difference. We currently are not seeing the explosion of spam others are describing.