Hi > I don’t think you did. Unless I am very much mistaken, Benoit is > logically *outside* the specific Ironport systems, which is why this > is worthy of inspection.
Correct. I was the recipient of the quarantine notification. I am not subscribed to any cisco Ironport service. The MX of the recipient domain does not point to a Cisco IP Address. But the sender domain did point to an IP address belonging to cisco. > It is, most likely, a naive or inexperienced Cisco Ironport customer > - or it’s a vulnerabilty being exploited. I very much suspect the > former. For me the most likely cause seems to be that somebody is hosting their email services with cisco and an user's credentials were compromised and used to send phishing email via cisco's infrastructure. But instead of blocking the outbound emails and noticing the cisco abuse desk, the outbound emails were quarantined and notifications about this sent to the intended phishing victims leading them to the same website the customer could use to inspect his inbound quarantine and also presenting a log-in site to the victim who has no credentials to log in. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
