More spam/viruses coming through

[YeOldeStonecat]

Just a note...since updating our unit to 9.1, replacing Kaspersky with Virus Blocker (new Authentium engine)..and replacing CommTouch spam booster with Spam Booster....since that very day...we've had a substantial increase in spam..notably viruses like those fake "DHL" viruses coming through.

We are running Virus Blocker along with Virus Blocker Lite (the old clam based one)...each are catching some stuff..so it makes me think it's good to leave them both running...one "might" catch what the other one misses.

As for the spam part...we're just running the Spam Blocker by itself...not along with the Spam Blocker Lite. The 9.1 presentation you guys gave a few weeks ago hinted at just running Spam Blocker and not both. We used to run BOTH at the same time in prior versions...and each caught some.

I'm looking at the Virus Blocker...over 20,000 messages passed..and only 3x viruses removed. That "removed" number used to be way way waaaaay higher with Kas.

I always liked Kaspersky....was quite an effective product.

[YeOldeStonecat]

Nobody else noticing this?
Over the weekend...some of us at the office had some United Airlines virus spam in our Outlooks inbox....walked right through Untangle. Eset catches it.

[sky-knight]

The scam mails with the .zip attached have been going right through my 9.0.2 installation for weeks. I've updated to 9.1.1, I haven't gotten any more since but at the same time that doesn't mean much.

I have not switched off Kaspersky yet.

I'm thinking with the upgrade the Bayes learning was wiped?

[raditude]

I do not have the answer, but concur with what is said here, since upgrading to 9.1.x the catch rates have gone down. My thought process was that of sky-knight's that the bayes got reset, so I have been trying to give it a few days to get up to speed.

Since one of the offices used OpenDNS, which is a whole other thread about this, I decided to test it out and swapped to the ISP DNS to see if the catch rate increased... It has been 48hrs and any increase is negligible at best.

[sky-knight]

I just got another DHL spoof mail.

But as I said, I was getting these things regularly BEFORE the upgrade. So I don't see a reduction in detection here, Untangle hasn't been stopping those mails for me at all.

[raditude]

That is weird, as the DHL, UPS, FedEx..etc usually are all caught by UT for us.

[sky-knight]

I've gotten spoofed mail from DHL, UPS, FedEx, Verizon, AT&T, Wells Fargo, Cox Communications, Comcast, and a few other places.

All the same MO, spoofed official message from that provider, links that go back to said providers page and are nice and safe. All have a .zip attachment that encloses a single EXE file that is no doubt the payload.

It's been constant since just before Thanksgiving I think.

[raditude]

Yeah there is no shortage to which companies they try to spoof, and the MO is the same in all of them, deliver a .zip attachment with the .exe payload.

However as stated, guess we are "lucky" that I see them in the quarantine sometimes, but beyond that I have not seen them in anyones inbox, or quarantine on the Exchange box, or desktop.

[M.I.B.]

I run a seperate virtual mailgate (MailCleaner OpenSource Edition) which is very good and nice to adjust. Exchange has a Symatec virus proteciton. If a infected mail arrives it is caught by UT. Spam is always marked by UT and MailCleaner. Somtimes UT is more accurate than MailCleaner.
We have a similar situation at a client. UT catches all of the viruses there is nothing left for Symantec.
So I could not see any changes.
MIB

[elj4176]

Anyone have a solution to this? These emails have been coming through for awhile now and clam doesn't seem to be able to pick them up at all. Although I have told the users not to open these someone always does.

Would it make sense to just block all .zip attachments with an .exe inside? If a legitimate .zip email arrive then it can be allowed by the admin.