Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default Getting spammed with alerts

    Hello!

    So I got about 250 alerts yesterday for blocking a phishing site on one of the doctor offices iPads. It alerts multiple times every couple of minutes, Iím assuming thereís an app making the call and itís polling every minute or so, but Iím not sure which app/site is causing the issue? Any advice on what I can do to narrow down this bugger or at least stop the flood of emails, itís drowning out my other emails. Here is a sample for one of the emails.

    Code:
    Untangle Alert "Phishing and Other Frauds website visit blocked" [gateway.myclient]
    Code:
    System: Untangle [gateway.myclient]
    
    Event: WebFilterEvent
    
    Event Time: 2020-08-16 08:07:44.941.
    
    Event Summary:
    Web Filter blocked http://isrg.trustid.ocsp.identrust.com/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFG%2F0aE1DEtJIYoGcwCs9Rywdii%2BmBBTEp7Gkeyxx%2BtvhS5B1%2F8QVYIWJEAIQCgFBQgAAAVOFc2oLheynCA%3D%3D (Phishing and Other Frauds)
    
    Event Details:
    app name                          = web_filter
    blocked                           = true
    category                          = Phishing and Other Frauds
    category id                       = 57
    flagged                           = true
    reason                            = BLOCK_CATEGORY
    request line                      = GET http://isrg.trustid.ocsp.identrust.com/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFG%2F0aE1DEtJIYoGcwCs9Rywdii%2BmBBTEp7Gkeyxx%2BtvhS5B1%2F8QVYIWJEAIQCgFBQgAAAVOFc2oLheynCA%3D%3D
    rule id                           = 57
    session event                    
    bypassed                         = false
    c client addr                    = 10.10.0.135
    c client port                    = 60270
    c server addr                    = 23.38.169.163
    c server port                    = 80
    client country                   = XL
    client intf                      = 2
    entitled                         = true
    hostname                         = iPad
    local addr                       = 10.10.0.135
    policy id                        = 1
    policy rule id                   = 0
    protocol                         = 6
    protocol name                    = TCP
    remote addr                      = 23.38.169.163
    s client addr                    = 50.195.119.81
    s client port                    = 41676
    s server addr                    = 23.38.169.163
    s server port                    = 80
    server country                   = US
    server intf                      = 1
    server latitude                  = 37.751
    server longitude                 = -97.822
    session id                       = 104645685454674
    tags string                      = 
    time stamp                       = 2020-08-16 08:07:44.914
    time stamp                        = 2020-08-16 08:07:44.941
    
    This is an automated message sent because this event matched Alerts Rule "Phishing and Other Frauds website visit blocked".

    Sent from my iPhone using Tapatalk

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    But your question is answered by the second line of the alert you just posted...

    Code:
    Event: WebFilterEvent
    Three lines down you get something even more descriptive.

    You'll forgive the snark here first thing in the morning, and I'll admit... it's Monday but let's just say...

    You're being oddly not Tech Savvy on this particular Monday. Ok, sorry couldn't resist.

    Also, config -> Events, it is not a stock alert that's bugging you... you need to go turn that alert off or it's going to annoy you to high heavens!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default

    Haha well played, but thatís just it. I donít think itís a specific site the user is intentionally going to thatís doing it, I think itís an ad or something thatís making the request in the background. But Iím not sure where itís coming from


    Sent from my iPhone using Tapatalk

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    Well, you have block events in the Web Filter, if you get into reports for that module and look at the all events log, filter down to that end point, and find your block the passes immediate before it would be good places to start.
    Tech Savvy likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default

    Quote Originally Posted by sky-knight View Post
    Well, you have block events in the Web Filter, if you get into reports for that module and look at the all events log, filter down to that end point, and find your block the passes immediate before it would be good places to start.
    Thank you!!!


    Sent from my iPhone using Tapatalk

  6. #6
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default

    So I did what you said to try to track it down, but all I see is Apple syncing with iCloud. (See below). Is it possible this is a false positive?

    PastedGraphic-1.jpg

  7. #7
    Newbie
    Join Date
    Apr 2019
    Posts
    13

    Default



    I think that image uploaded funky. Here it is again


    Sent from my iPhone using Tapatalk

  8. #8
    Newbie
    Join Date
    Jul 2020
    Posts
    7

    Default

    Clear your web filter cache in Untangle and these will stop. The website in question (isrg.trustid.ocsp.identrust.com) was blacklisted by Webroot for a few days, but they've cleared it. Until the webfilte cache refreshes, you'll continue to get the alerts. I struggled with several hundred queued emails that came at me for days after I disabled email alerts.

  9. #9
    Newbie
    Join Date
    Aug 2020
    Posts
    1

    Default

    Quote Originally Posted by me@toroloco.us View Post
    Clear your web filter cache in Untangle and these will stop. The website in question (isrg.trustid.ocsp.identrust.com) was blacklisted by Webroot for a few days, but they've cleared it. Until the webfilte cache refreshes, you'll continue to get the alerts. I struggled with several hundred queued emails that came at me for days after I disabled email alerts.
    Thank you for this! I was having the same issue.

  10. #10
    Newbie 1837's Avatar
    Join Date
    Aug 2020
    Location
    Shenzhen
    Posts
    4

    Default

    I occasionally cannot receive emails sent to me by others, nor in the spam mailbox. Why is this? But I did see a message saying that it has been sent to my mailbox for verification.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2