anti-SPAM and workqueue filling up

Henk Fictorie - Ulrich · ‎02-13-2017

For our customer we have anti-Virus and anti-SPAM enabled for a very long time. Recently I've enable URL Filtering and VOF. After enabling this we had serious problems whenever a legitimate newsletter was received (intended for all employees, appr. 20.000). The workqueue would fill up and no email (incoming or outgoing) was processed. By temporary disabling anti-SPAM the workqueue would drain and normal operation resumed.

I created an incoming mail policy for trusted bulk mailers in which I disabled anti-SPAM, Graymail and VOF, this works.

However more and more legitimate newsletters are popping up and I wonder if another approach could get me the same result.

Eg. rate limiting for those trusted bulk emailers or something else.....

Any ideas or best practices?

regards Henk Fictorie

Libin Varghese · ‎02-13-2017

Hi Henk,

Seeing your recently enabled URL filtering on the appliance I would recommend you to review the below configuration is as per recommendations.

Please be aware of the following Field Notice:
http://www.cisco.com/c/en/us/support/docs/field-notices/641/fn64111.html

The server pool used by the URL Reputation feature servers has changed. As a result, when you enable the URL Filtering feature, you may observe one of the following symptoms:

· Work queue on your appliance backs up
· A large number of 'Request already expired' entries in the web_client logs
· Alerts indicating that your appliance is unable to connect to the Cisco Web Security Service

To fix this issue, you must reduce the number of URLs sent for verification at the same time.

Procedure
1. Secure Shell (SSH) into the appliance.
2. Enter the command websecurityadvancedconfig.
3. Change the value for "Enter the threshold value for outstanding requests" from the default to 5. (Default is 50.)
4. Do not change any other option.
5. Commit any/all configuration changes.

As for rate limiting you can certainly create a separate sender group for the sending server of these newsletters and apply rate limiting based off the envelope sender or maximum recipients allowed per hour. This would help reduce load on the appliance from such emails.

Thanks!
Libin V

Henk Fictorie - Ulrich · ‎02-13-2017

Hi Libin,

I already applied the field notice fn64111.html.

I've created a sender group "Trusted Bulk Mailers" with its own mail flow policy "Bulk mailers", SPAM detection is disabled in this policy. I assumed this would be enough, but I also had to created an incoming mail policy for the senders of the newsletters in which I had to disable Anti-Spam also.

My question is more on what I can do with the mail flow policy "ACCEPTED" which is used as default policy and has SPAM detection enabled. What can I do in this policy to prevent the work queue from filling up. Can I assume that setting "Max recipients per hour" is a decent first step. Are there some statistics in the system I can see to get a good idea about the values I should use?

In the mail flow policy "Bulk mailers", I already set some parameters to change. Eg. I now have max 300 recipients per 5 minutes (envelope-sender) and unlimited recipients per hour (per host).

regards Henk

Libin Varghese · ‎02-13-2017

Henk,

The default configuration of the device is the recommended setting, if with that you are seeing a workqueue spike then it would mean the device is being over burdened and you may need to think of adding additional appliances in your network.

It is recommended you contact your sales and accounts team as they have access to sizing tools to determine how much mail flow the current configuration can keep up with.

Thanks!

Libin