03-25-2022 01:31 AM
Hello,
In this documentation about ESA https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118220-technote-esa-00.html#:~:text=Reduce%20Suspected%20Spam%20Threshold%20to,at%20the%20'suspect'%20threshold.
It is recommended to modify threshold of anti-spam:
Is threre a way to identify with ESA interface which mails would have been categorized as spam with this modification ?
The goal is to evaluate the impact before set up the modification.
Reagrds
Guillaume
Solved! Go to Solution.
03-27-2022 05:51 PM
As @Octavian Szolga mentioned, there's no way for administrators of ESA to identify the actual score determined by antispam engine.
TAC will generally have visibility to scores as long as the email message has x-ipas-result or x-antispam-result headers.
The best way is to just monitor for emails that are caught as suspected spam and verify if there are any false positives.
You can setup the antispam policy for suspected spam as "deliver", add a header when it matches and use a content filter, setup a notify action whenever the header is matched.
or
just navigate to message tracking, under advanced options check box "suspected spam" and look for emails that were caught, this should provide visibility to any ongoing false positives.
03-25-2022 08:11 AM
Hi Guillaume,
I don't think you can.
I don't remember seeing anywhere in ESA the CASE/spam points that a mail gets, so I don't see how you'd be able to tell which mail would have been identified as spam based on your spam score changes.
Just go with your changes and monitor your spam quarantine if this is the action you're setting in your incoming mail policies or use specific search queries (positive spam/suspected spam on specific time frame) to compare before and after.
BR,
Octavian
03-27-2022 05:51 PM
As @Octavian Szolga mentioned, there's no way for administrators of ESA to identify the actual score determined by antispam engine.
TAC will generally have visibility to scores as long as the email message has x-ipas-result or x-antispam-result headers.
The best way is to just monitor for emails that are caught as suspected spam and verify if there are any false positives.
You can setup the antispam policy for suspected spam as "deliver", add a header when it matches and use a content filter, setup a notify action whenever the header is matched.
or
just navigate to message tracking, under advanced options check box "suspected spam" and look for emails that were caught, this should provide visibility to any ongoing false positives.
03-28-2022 05:22 AM
Hi,
Ok thanks for the help. I thank there was an "esiest" way to check before modify the spam policy.
You're right, for the moment I put in quarantine spam and suspected spam.
I just have to increase sensibility for spam from 90 to 50 and suspected spam from 50 to 40 with a special header to easy identify them.
Thanks both
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide