Mailing List Archive

[clamav-users] Off topic question...
Any one have an abuse contact for Cisco IronPorts hosted service?



Customer of ours received a phishing email from a Cisco client but wasn't
sent by them, at least that what I'm being told.



Sincerely,



Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300
Re: [clamav-users] Off topic question... [ In reply to ]
Hi there,

On Wed, 29 Jun 2022, Eric Tykwinski via clamav-users wrote:

> Any one have an abuse contact for Cisco IronPorts hosted service?
>
> Customer of ours received a phishing email from a Cisco client but wasn't
> sent by them, at least that what I'm being told.

I don't think you can rely on the customer's say-so. You need to get
a complete copy of the message - especially full headers - for analysis.
Having said that here's a random hit:

https://www.abuseipdb.com/check/184.94.240.92

If it's really Cisco, and all else fails, I'd send a report to the abuse
address for cisco.com (and to SpamCop - Cisco owns SpamCop of course...:)

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Off topic question... [ In reply to ]
Ged,

> Hi there,
>
> On Wed, 29 Jun 2022, Eric Tykwinski via clamav-users wrote:
>
>> Any one have an abuse contact for Cisco IronPorts hosted service?
>>
>> Customer of ours received a phishing email from a Cisco client but
>> wasn't sent by them, at least that what I'm being told.
>
> I don't think you can rely on the customer's say-so. You need to get a
complete copy of the message - especially full headers - for analysis.
> Having said that here's a random hit:

I forwarded the raw message and our server logs to
phish@access.ironport.com, which took me awhile to find on Cisco's site.
Hopefully that works. The email itself came from Cisco IronPorts (Address
216.71.155.135 resolves to esa2.hc2580-79.iphmx.com.)
The sending client is on Cisco:
chesco.org. 0 IN MX 10 mx2.hc2580-79.iphmx.com.
chesco.org. 0 IN MX 10 mx1.hc2580-79.iphmx.com.

I didn't see any DKIM signatures in the headers, so I'm not sure if it was a
legit encrypted email or a phishing scam.
But definitely looked hokey with an html attachment asking for info, and
some long javascript which I wasn't going to attempt to figure out.

> https://www.abuseipdb.com/check/184.94.240.92
>
> If it's really Cisco, and all else fails, I'd send a report to the abuse
address for cisco.com (and to SpamCop - Cisco owns SpamCop of course...:)
>
> --
>
> 73,
> Ged.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Off topic question... [ In reply to ]
Talosintelligence.com/support


Sent from my ? iPhone

> On Jun 29, 2022, at 10:59, Eric Tykwinski via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
> Any one have an abuse contact for Cisco IronPorts hosted service?
>
> Customer of ours received a phishing email from a Cisco client but wasn’t sent by them, at least that what I’m being told.
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat