[clamav-users] Off topic question...
Eric Tykwinski
eric-list at truenet.com
Wed Jun 29 16:02:12 UTC 2022
Ged,
> Hi there,
>
> On Wed, 29 Jun 2022, Eric Tykwinski via clamav-users wrote:
>
>> Any one have an abuse contact for Cisco IronPorts hosted service?
>>
>> Customer of ours received a phishing email from a Cisco client but
>> wasn't sent by them, at least that what I'm being told.
>
> I don't think you can rely on the customer's say-so. You need to get a
complete copy of the message - especially full headers - for analysis.
> Having said that here's a random hit:
I forwarded the raw message and our server logs to
phish at access.ironport.com, which took me awhile to find on Cisco's site.
Hopefully that works. The email itself came from Cisco IronPorts (Address
216.71.155.135 resolves to esa2.hc2580-79.iphmx.com.)
The sending client is on Cisco:
chesco.org. 0 IN MX 10 mx2.hc2580-79.iphmx.com.
chesco.org. 0 IN MX 10 mx1.hc2580-79.iphmx.com.
I didn't see any DKIM signatures in the headers, so I'm not sure if it was a
legit encrypted email or a phishing scam.
But definitely looked hokey with an html attachment asking for info, and
some long javascript which I wasn't going to attempt to figure out.
> https://www.abuseipdb.com/check/184.94.240.92
>
> If it's really Cisco, and all else fails, I'd send a report to the abuse
address for cisco.com (and to SpamCop - Cisco owns SpamCop of course...:)
>
> --
>
> 73,
> Ged.
More information about the clamav-users
mailing list