On Mon, Mar 1, 2010 at 5:56 AM, Michael Scheidell <scheid...@secnap.net>wrote:
Imagine my surprise this am when I got a quarantine report from our ironport > email server (when I don't have one!) > Phishers targeting ironport users now. if anyone has ironport, can you > look at this email to see if it looks like an ironport quarantine report? > I do notice the lack of ironport headers in this email, and its base64 > encoded (I think ironport quarantine reports just used nice html) > > http://pastebin.com/1YXY5rPq > > should be easy enough to write sigs. look for ironport headers, and if > none, block it. > Actually, all signs point to this being a misconfigured IronPort appliance. Someone at IronPort is attempting to contact the administrator. Daniel