This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP C2/Generic-A from out Mailserver

Hello,

today i found this on ATP log.

07:34:06 IPTables TCP C2/Generic-A
192.168.2.3 (Our Exchange Server) : 25
→
91.230.25.175 (Some Provider in Ukraine) : 56600
drop

same enty for 07:34:06 and 7:34:12

we checked our Windows2012R2 Exchange with Sophos Virus Removal Tool but found nothing.

any suggestion what it could be an howe to troubleshoot it?

the 91.230.25.175 is in a Spam Database, so could it be some kind of Folse Positive because of spam? or can it be that someone has tried to send Spams from inside?

Firewall, SMTP, IPs logs have no Results about this IP...

thank you

This thread was automatically locked due to age.

Parents

0 BarryG over 9 years ago

Hi, it's probably a false positive due to spam.

From what I've seen, most of the ATP events are based on blacklisted IPs and any communication with those IPs will trigger alerts.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 9 years ago

Hi, it's probably a false positive due to spam.

From what I've seen, most of the ATP events are based on blacklisted IPs and any communication with those IPs will trigger alerts.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Holy over 9 years ago in reply to BarryG

Hello, that can be, but then i would see some antispam event in the SMTP Proxy? i looked on MailManager and found nothing at that time, i also tried to search for that IP in the SMTP Proxy log = no results. but it can be that this message was rejected as confirmed spam without leaving any logs...

it was source port 25 , so i think it could be a false positive due to spam.

Hi, it's probably a false positive due to spam.

From what I've seen, most of the ATP events are based on blacklisted IPs and any communication with those IPs will trigger alerts.

Barry
Cancel
Vote Up 0 Vote Down

Cancel