Tons of "Generic:<URL> hits in threat logs for DNS Query hits

cancel
Showing results for 
Search instead for 
Did you mean: 

Tons of "Generic:<URL> hits in threat logs for DNS Query hits

L2 Linker

Hi Guys,

 

I am seeing a ton of "generic:<random-url>" hits in my threat logs under the spyware category for DNS queries from my email spam filter server out to the world. I have DNS security set up on the Palo so they are being sinkholed, but there are a ton of them, and several dozen different URL's.  The spam filter uses a proprietary software so it's unlikely it is infected. I suspect the queries are being made from the URL's being placed in the emails themselves. Wondering if anyone has seen this or can explain? These can't all be malicious URL's my users are referencing in their emails can they?  Here's a small example:

 

dromanelli_0-1611763278220.png

 

 

 

 

1 REPLY 1

Cyber Elite
Cyber Elite

@dromanelli,

I would expect this on an email security gateway to be honest. The number of DNS requests an email security gateway will make is dependent on mailflow, but they'll all generally resolve the source domain email was sent from, and a lot of them will resolve any domain that they see come across in a message. So all of the spam and phishing messages that you receive are likely going to be triggering alerts for all of those as well. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!