Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
3
Replies

Anti-Spam threshold impact

Go to solution
sysresuem
Level 1
Level 1

‎03-25-2022 01:31 AM

Hello,

 

In this documentation about ESA   https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118220-technote-esa-00.html#:~:text=Reduce%20Suspected%20Spam%20Threshold%20to,at%20the%20'suspect'%20threshold

It is recommended to modify threshold of anti-spam: 

  1. Reduce Suspected Spam Threshold to 40 (default is 50) if false-positives are not a concern at the 'suspect' threshold.

Is threre a way to identify with ESA interface which mails would have been categorized as spam with this modification ?

The goal is to evaluate the impact before set up the modification.

Reagrds

 

Guillaume

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎03-27-2022 05:51 PM

As @Octavian Szolga mentioned, there's no way for administrators of ESA to identify the actual score determined by antispam engine.

TAC will generally have visibility to scores as long as the email message has x-ipas-result or x-antispam-result headers.

 

The best way is to just monitor for emails that are caught as suspected spam and verify if there are any false positives.

You can setup the antispam policy for suspected spam as "deliver", add a header when it matches and use a content filter, setup a notify action whenever the header is matched.

or

just navigate to message tracking, under advanced options check box "suspected spam" and look for emails that were caught, this should provide visibility to any ongoing false positives.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Octavian Szolga
Level 4
Level 4

‎03-25-2022 08:11 AM

Hi Guillaume,

 

I don't think you can.
I don't remember seeing anywhere in ESA the CASE/spam points that a mail gets, so I don't see how you'd be able to tell which mail would have been identified as spam based on your spam score changes.

 

Just go with your changes and monitor your spam quarantine if this is the action you're setting in your incoming mail policies or use specific search queries (positive spam/suspected spam on specific time frame) to compare before and after.

 

BR,

Octavian

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎03-27-2022 05:51 PM

As @Octavian Szolga mentioned, there's no way for administrators of ESA to identify the actual score determined by antispam engine.

TAC will generally have visibility to scores as long as the email message has x-ipas-result or x-antispam-result headers.

 

The best way is to just monitor for emails that are caught as suspected spam and verify if there are any false positives.

You can setup the antispam policy for suspected spam as "deliver", add a header when it matches and use a content filter, setup a notify action whenever the header is matched.

or

just navigate to message tracking, under advanced options check box "suspected spam" and look for emails that were caught, this should provide visibility to any ongoing false positives.

0 Helpful

Go to solution
sysresuem
Level 1
Level 1
In response to UdupiKrishna

‎03-28-2022 05:22 AM

Hi,

 

Ok thanks for the help. I thank there was an "esiest" way to check before modify the spam policy.

You're right, for the moment I put in quarantine spam and suspected spam.

I just have to increase sensibility for spam from 90 to 50 and suspected spam from 50 to 40 with a special header to easy identify them.

 

Thanks both

0 Helpful
Customers Also Viewed These Support Documents