01-18-2017 06:39 AM
Hi
I have Cisco ESA C360 and I have configured the Anti-spam and Anti-virus Engines as per the Cisco default configuration and best practices. Still when I see my Spam Folder in ESA, I find millions of Spam messages from last seven days and count creeps to many when I search spam folder for last month and two months before.
With this amount of Spam Emails I am blacklisted by ISP and most of my users complain that our emails are treated as Junk in the Internet MTA like yahoo, gmail and hotmail, etc.
I need advice what is wrong with the Ironport and how can I stop this scenario and how can I retain my reputation with ISP. Also I need to know why
1. ESA is not stopping all the Spam Emails generated by internal users.
2. How can I know that my Email Server is not become a Spam Mail relay
3. How can i take a corrective actions.
4. Is there any configuration that I need to do on ESA
5> Is there any action that I need to take in Email Server.
Please advice.
Thanks
01-18-2017 09:23 PM
Hi Bilal,
If I understood correctly you have anti-spam and anti-virus enabled on the outgoing mail policy.
With this scanning enabled, if the anti-spam engine is quarantining spam emails from internal users then it is performing its job correctly.
As for external domains such as yahoo, gmail and hotmail etc their rules for anti-spam would be different from what Cisco considers spam. Hence, we would not be able to comment on why they are blacklisting a particular IP, you would need to obtain those details from them.
1.
ESA uses its own anti-spam rules and would not necessarily match what others consider spam. If there is a particular spam email missed by the Ironport please submit those to spam@access.ironport.com to get the rules updated.
2.
To determine if the internal exchange server has become an open relay you would need to monitor which IP's are creating connections with that server. As for the ESA it would allow relay of all emails from the internal exchange server as long as it is added to the HAT Relaylist.
3.
Connections to your internal exchange would need to be controlled internally by your network and firewall teams. You can also reach out to Microsoft if that is what you are using as an exchange.
4.
As mentioned the ESA would allow all IP's added to the HAT Relaylist to send emails outbound, no further configuration is required. Which domains can send emails outbound can be controlled using message filters or outbound mail policies based on your requirement.
Here are a couple of articles for your reference
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200030-Troubleshoot-unwanted-outbound-emails-on.html
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118577-technote-esa-00.html
5.
We really cannot comment on what configuration is possible and is required on the exchange side, Microsoft would have documentation available on their exchange servers.
Thanks
Libin Varghese
01-20-2017 05:31 AM
Hi Libin,
Thanks for the answer and detailed explanation. The issue is that my internal users are complaining that other domains in addition to yahoo and gmail are considering there emails as spams and put them in junk folders.
Sometimes users are sending emails and recipients claiming that they have not received the email from them.
This is a major concern now and I am finding the solution recommended by Cisco.
Thanks
Bilal Ahmad
01-20-2017 05:50 AM
If others are marking your email as spam, you should implement SPF and dkim.
Then take a look at what and how they are sending it...does it loik spammy? Lots of recipients? Lots of bad recipients?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide