Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
1
Helpful
7
Replies

Bypass spam check with content filter

Go to solution
IWard
Level 1
Level 1

‎08-01-2023 09:59 AM

Is there a way to skip/bypass the anti-spam engine with a content filter? We have situations where we need to check the friendly from address or subject line to identify emails from bulk mailers that should be allowed. We have an existing content filter that identifies them properly, but the "skip-filters()" action still allows the anti-spam engine to move the messages into the spam quarantine.

How do we ensure that emails matching a content filter reach the target inbox without adding the entire bulk mailer domain/IP to the safe list?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dustin Anderson
VIP
VIP

‎08-02-2023 06:42 AM

You would have to try this in a filter, and i'm not sure it will work, but in my spam quarantine I see 2 header settings. I woulder if you deleted them in a filter if it would stop the quarantine.

X-IronPort-Anti-Spam-Filtered
X-CASE

View solution in original post

7 Replies 7

Go to solution
José L. Dávila
Cisco Employee
Cisco Employee

‎08-01-2023 10:07 AM - edited ‎08-01-2023 10:07 AM

Hello there,

Content filters are a step after the Antispam engine, that's why those are not effective in bypassing antispam or antivirus scan.

As an alternative, you can try a message filter searching by IP address, sending host or mail-from. Message filters are a step before the workqueue, so they take action before any antispam or antivirus check.

An example of the message filter is as follows:

SkipSpamcheckFilter:
    if ( (remote-ip == '192.168.195.101') or
         (mail-from == '@example\\.com$')      )
    {
        skip-spamcheck();
    }
.

You can check the following article for reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117908-qa-cdc.html, hope it helps. 

José L. Dávila
0 Helpful

Go to solution
IWard
Level 1
Level 1
In response to José L. Dávila

‎08-01-2023 10:12 AM

Thanks Jose. Unfortunately anything that applies to an entire domain or IP address is too broad for this situation. If there is no way to bypass the anti-spam engine with a content filter, is there anything I can do with a content filter to reverse the decision that has been made? Maybe remove the quarantine flag/header somehow?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎08-01-2023 10:13 AM

No, content filters won't do it. The skip-filters is only for the rest of "content filters"
If you want it to be "visible", the best way is to build a policy, where you turn off the spam policy for just those senders. (this is what we do)


0 Helpful

Go to solution
José L. Dávila
Cisco Employee
Cisco Employee

‎08-01-2023 11:15 AM

A way to ignore the spam engine decision is to set the Action for the identified Spam messages as Deliver instead of Drop or Quarantine. However, this would need to be applied as Ken mentions, by building a policy. Keep in mind you can customize the message filters to be mail-from based. 

José L. Dávila
0 Helpful

Go to solution
IWard
Level 1
Level 1
In response to José L. Dávila

‎08-01-2023 12:13 PM

Mail-from is not always sufficient for this use case. We have senders like ConstantContact and AmazonES being used by legitimate vendors who send emails that we want to ensure do not get quarantined. We can add the whole domain to a separate policy, but both of those providers send mountains of spam that we want to keep out of inboxes.

We look for consistent indicators like subject lines, content in the message body, and/or other headers which indicate that the email is from an expected source. That portion works great. The only step I'm missing is ensuring those filtered messages are delivered while keeping the other spam from those senders quarantined.

Is there a way to use a content filter to pull an email out of quarantine? Alternatively, is there anything readable at the content filter level which indicates an emails spam rating? Maybe reputation score? If we had that I could flip this around to use a policy to bypass the anti-spam engine for the domains and then a content filter to quarantine things that do not match my content filter.

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP

‎08-02-2023 06:42 AM

You would have to try this in a filter, and i'm not sure it will work, but in my spam quarantine I see 2 header settings. I woulder if you deleted them in a filter if it would stop the quarantine.

X-IronPort-Anti-Spam-Filtered
X-CASE

Go to solution
IWard
Level 1
Level 1
In response to Dustin Anderson

‎08-04-2023 08:26 AM

This seems to do the trick! Hard to test a negative, but I haven't seen any of the filtered emails get sent to the quarantine since I added the action to remove the "X-IronPort-Anti-Spam-Filtered" header. I also have an action to remove the prepended subject line to make the email appear normal in the user's inbox. Thanks everyone!

0 Helpful
Customers Also Viewed These Support Documents