This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First ATP Reported

I noticed yesterday that our firewall had reported this anomaly coming from our mail server. The destination IP is simply an open DNS I added to the DNS setting on the device but this also occurs on the other entries as well, why would it report this?

This thread was automatically locked due to age.

Parents

0 lna over 7 years ago

Hi Newby,

i was able to reproduce this error

The content of your DNS Query "sync.header.direct" seems to be known as malicious.

if your Mailserver is not infected it maybe got an email (send or received doesn't matter) and needs to lookup some DNS stuf to verify (mx record / spf record) either to send or to do antispam.

please check if your Mailserver has a queued mail to or from that domain. (maybe in logs for that tiestamp)

Yours Lukas
Cancel
Vote Up 0 Vote Down

Cancel
0 SophosNewby over 7 years ago in reply to lna

Thanks, I am not seeing anything in our logs regarding email but am continuing to investigate.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 SophosNewby over 7 years ago in reply to lna

Thanks, I am not seeing anything in our logs regarding email but am continuing to investigate.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data