I had no port 80 hits originating from my web filter. ________________________________ From: Richard Stovall [mailto:rich...@gmail.com] Sent: Tuesday, January 29, 2013 4:33 PM To: NT System Admin Issues Subject: Re: Speaking of Barracuda...
Thanks for having a look at it. The activity is pretty frequent, actually. The latest capture has about 30 gets to non-Barracuda sites in a few hours, all of which are embedded in inbound spam messages. My suspicion is that it is something along the lines you describe, but I can't find anything in the config documents that explicitly states it will pull down content. The fact the technician hadn't heard of this is a little strange, too. The closest thing I can find is in the description of "Multi-Level Intent Analysis" which is: Multi-Level Intent Analysis - Set to Yes to inspect the results of Web queries to URIs of well-known free Web sites for redirections to known spammer sites. However, does www.nicejordans23.com<http://www.nicejordans23.com> sound like a "well-known" free website? Or amazing.chloalt.us<http://amazing.chloalt.us>? Maybe I'll get some more info when this e-mail comes in and hits the filter. Perhaps those URLs will trigger the activity. Richard On Tue, Jan 29, 2013 at 5:14 PM, N Parr <npar...@mortonind.com<mailto:npar...@mortonind.com>> wrote: How often are you seeing it? What model do you have? I've had my ASA logging for a few min now but nothing on port 80 yet. I'll let it run overnight and search the logs. It could be part of the the spam checking to see if URL's imbedded in emails are legit to aid in scoring? Don't know if they do that sort of thing, just grasping at straws. ________________________________ From: Richard Stovall [mailto:rich...@gmail.com<mailto:rich...@gmail.com>] Sent: Tuesday, January 29, 2013 3:25 PM To: NT System Admin Issues Subject: OT: Speaking of Barracuda... Would any of you who have Barracuda spam filters mind checking something for me? The other day I noticed outbound traffic from my spam appliance to port 80 at destinations not owned by Barracuda Networks. I started a packet cap on my firewall and got some very interesting results. In addition to traffic for legitimate updates and whatnot, the appliance is actually going out to and downloading content from the URLs embedded in some (but nowhere near all) inbound spam messages. I haven't yet figured out any pattern to why it happens on some e-mails and not others. I created a case with Barracuda this morning just to confirm that it is expected behavior and get an explanation of the logic behind it, but the tech I spoke to had never heard of this. I sent him the packet cap and he said he would kick it upstairs and get back to me, but I haven't heard anything yet. Anyone want to capture traffic from your Barracuda spam firewall on outbound port 80 and see if you see anything similar? Thanks, RS ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin