cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
533
Views
5
Helpful
3
Replies

Aggressive scanning profile

andrey.rusev
Level 1
Level 1

Hi,

Has anyone teste the Aggressive spam profile explained here:

https://docs.ces.cisco.com/docs/ironport-anti-spam-scanning-profile

I am curios if someone evaluated it in order to have expectations with false positives increase.

Unfortunately we haven't got any possibility to test it with some pilot users.

 

Kind Regards!

 

1 Accepted Solution

Accepted Solutions

You are correct it is indeed is a global level change and not per policy. These are some ways to test but not the affirmative methods,

1. If there are multiple devices in cluster, you can run machine level overrides on few ESA(s), setup the aggressive scanning profile and monitor the outcome.

2. Or you can setup SMTP routes so that emails are scanned by an ESA with default profile are then forwarded to another ESA with aggressive profile.

View solution in original post

3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

A difficult question to answer in general. We have seen customers setup some aggressive settings which has done more harm than good while it worked out better for a few. There's a no baseline to state the increase in the false positives.

Best way to test is setup a new policy with these aggressive settings, configure antispam to add a new custom header for suspect and positive spam. Create a content filter to match the custom header with a simple action like "log-entry". Then you can run a content filter report to identify the number of times it was matched. You can dig into the emails later to understand if there were false positives

andrey.rusev
Level 1
Level 1

Hi,

thank you for feedback. 

It will be very good if we can test it. I still cant see how we can test for some users per mail policy as the spam profile is configured for global level. Could you please elaborate further.

Kind Regards!

 

You are correct it is indeed is a global level change and not per policy. These are some ways to test but not the affirmative methods,

1. If there are multiple devices in cluster, you can run machine level overrides on few ESA(s), setup the aggressive scanning profile and monitor the outcome.

2. Or you can setup SMTP routes so that emails are scanned by an ESA with default profile are then forwarded to another ESA with aggressive profile.