Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
5
Helpful
3
Replies

Aggressive scanning profile

Go to solution
andrey.rusev
Level 1
Level 1

‎07-15-2022 04:46 AM

Hi,

Has anyone teste the Aggressive spam profile explained here:

https://docs.ces.cisco.com/docs/ironport-anti-spam-scanning-profile

I am curios if someone evaluated it in order to have expectations with false positives increase.

Unfortunately we haven't got any possibility to test it with some pilot users.

 

Kind Regards!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to andrey.rusev

‎07-25-2022 06:40 PM

You are correct it is indeed is a global level change and not per policy. These are some ways to test but not the affirmative methods,

1. If there are multiple devices in cluster, you can run machine level overrides on few ESA(s), setup the aggressive scanning profile and monitor the outcome.

2. Or you can setup SMTP routes so that emails are scanned by an ESA with default profile are then forwarded to another ESA with aggressive profile.

View solution in original post

3 Replies 3

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎07-18-2022 06:35 PM

A difficult question to answer in general. We have seen customers setup some aggressive settings which has done more harm than good while it worked out better for a few. There's a no baseline to state the increase in the false positives.

Best way to test is setup a new policy with these aggressive settings, configure antispam to add a new custom header for suspect and positive spam. Create a content filter to match the custom header with a simple action like "log-entry". Then you can run a content filter report to identify the number of times it was matched. You can dig into the emails later to understand if there were false positives

0 Helpful

Go to solution
andrey.rusev
Level 1
Level 1

‎07-19-2022 12:50 AM

Hi,

thank you for feedback. 

It will be very good if we can test it. I still cant see how we can test for some users per mail policy as the spam profile is configured for global level. Could you please elaborate further.

Kind Regards!

 

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to andrey.rusev

‎07-25-2022 06:40 PM

You are correct it is indeed is a global level change and not per policy. These are some ways to test but not the affirmative methods,

1. If there are multiple devices in cluster, you can run machine level overrides on few ESA(s), setup the aggressive scanning profile and monitor the outcome.

2. Or you can setup SMTP routes so that emails are scanned by an ESA with default profile are then forwarded to another ESA with aggressive profile.

Customers Also Viewed These Support Documents