Hi Jason,
The IPAS engine will scan the entire message including the attachments as long as the total size of the message does not exceed the maximum size set for IPAS. So if the attachment size is 554401 and your maximum scan size would have to exceed this to include not only the attachment but also the entire message. In many cases PDF files are tricky to scan as they are generally pretty large and exceed the maximum scan size for IPAS. You also have to consider if you extend the IPAS scan size too far it can start to have a negative impact on performance. Ideally we would like to stop these messages based on SBRS. There was an event about a year ago with these types of messages , from the FBI and FTC and we were able to address this via rule updates to IPAS. I am not sure if this is a new varient of this type of message but i would be glad to explore this with the case operations group if you can get us copies of the messages in RFC 822 format.
Below are instructions on that process.
To send a missed spam or message incorrectly marked as "not-spam" email to IronPort Systems for examination, there are a number of ways to submit messages.
- Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
For customers using clients other than Microsoft Outlook, go to your email program and follow the instructions to attach the email as an
RFC-822 MIME encoded attachment.
See article 472.- (NOTE: All submitted messages must be in the RFC 822 format and ONLY that format. Any other formats (such as S/MIME) are currently not compatible with the submission tool.)
Note: Unless submitted through a plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be RFC-822 compliant attachments. Forwards of previously forwarded messages cannot be processed at this time.
Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.
Once we receive submissions from a customer or from other sources, these messages are passed through automated classification systems that makes use of our latest rule set. If these messages are tagged by the new rule-set as spam, they are classified as such. Due to a delay in receiving samples and generating rules, many of the missed-spam messages usually have rules published between the time they are received by our customers and reported to us.
There are some messages that are part of new spam trends or new variants that are sufficiently different or new spam strains that are not classified by automated systems. Basically, any messages that are held for classification due to some mitigating factors are held for human review. We attempt to get to these messages within 2-3 hours of them being injested into the corpus.
Note: Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.
Christopher C Smith
CSE
Cisco IronPort Customer Support
