cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1288
Views
0
Helpful
3
Replies

ESA C360 Spam Emails from Internal Users

Bilal Ahmad
Level 1
Level 1

Hi 

I have Cisco ESA C360 and I have configured the Anti-spam and Anti-virus Engines as per the Cisco default configuration and best practices. Still when I see my Spam Folder in ESA, I find  millions  of Spam messages from last seven days and count creeps to many when I search spam folder for last month and two months before.

With this amount of Spam Emails I am blacklisted by ISP and most of my users complain that our emails are treated as Junk in the Internet MTA like yahoo, gmail and hotmail, etc.

I need advice what is wrong with the Ironport and how can I stop this scenario and how can I retain my reputation with ISP. Also I need to know why

1. ESA is not stopping all the Spam Emails generated by internal users.

2. How can I know that my Email Server is not become a Spam Mail relay

3. How can i take a corrective actions.

4. Is there any configuration  that I need to do on ESA 

5> Is there any action that I need to take in Email Server.

Please advice.

Thanks

 

3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

Hi Bilal,

If I understood correctly you have anti-spam and anti-virus enabled on the outgoing mail policy.

With this scanning enabled, if the anti-spam engine is quarantining spam emails from internal users then it is performing its job correctly.

As for external domains such as yahoo, gmail and hotmail etc their rules for anti-spam would be different from what Cisco considers spam. Hence, we would not be able to comment on why they are blacklisting a particular IP, you would need to obtain those details from them.

1.
ESA uses its own anti-spam rules and would not necessarily match what others consider spam. If there is a particular spam email missed by the Ironport please submit those to spam@access.ironport.com to get the rules updated.

2.
To determine if the internal exchange server has become an open relay you would need to monitor which IP's are creating connections with that server. As for the ESA it would allow relay of all emails from the internal exchange server as long as it is added to the HAT Relaylist.

3.
Connections to your internal exchange would need to be controlled internally by your network and firewall teams. You can also reach out to Microsoft if that is what you are using as an exchange.

4.
As mentioned the ESA would allow all IP's added to the HAT Relaylist to send emails outbound, no further configuration is required. Which domains can send emails outbound can be controlled using message filters or outbound mail policies based on your requirement.

Here are a couple of articles for your reference

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200030-Troubleshoot-unwanted-outbound-emails-on.html

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118577-technote-esa-00.html

5.
We really cannot comment on what configuration is possible and is required on the exchange side, Microsoft would have documentation available on their exchange servers.

Thanks

Libin Varghese

Hi Libin,

Thanks for the answer and detailed explanation. The issue is that my internal users are complaining that other domains in addition to yahoo and gmail are considering there emails as spams and put them in junk folders.

Sometimes users are sending emails and recipients claiming that they have not received the email from them.

This is a major concern now and I am finding the solution recommended by Cisco.

Thanks

Bilal Ahmad

If others are marking your email as spam, you should implement SPF and dkim.

Then take a look at what and how they are sending it...does it loik spammy?  Lots of recipients?  Lots of bad recipients?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: