ESA Deployment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2013 12:41 PM
Hi Community,
I have a client with an ESA as the first mail server coming from the Internet and last one on the path out.
This client is a University and the default ESA settings are not stopping much of the spam received.
What I would like to ask is any recommendations or reference to deploying the ESA in a University where the recipients are just too many and too dynamic to maintain in a list (LDAP), and any guidance or best practices.
Thank you very much,
Federico.
- Labels:
-
Email Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2013 07:16 AM
Hi Federico,
Anti-Spam Best Practices
- Verify that inbound messages are being scanned by the antispam engine. Do a message track on a recent message and check that it was scanned.
2. Verify that you are receiving anti-spam rule updates- Go to MONITOR > MESSAGE TRACKING
- Search for the email in question
- Click the 'Show Details' link next to the email in question
Look for the Antispam engine (CASE) verdict. Example:
Thu Sep 12 13:21:09 2013 Info: MID 2359 interim verdict using engine: CASE spam negativeThu Sep 12 13:21:09 2013 Debug: MID 2359 using engine: CASE definitely negativeThu Sep 12 13:21:09 2013 Info: MID 2359 using engine: CASE spam negative
- Check to confirm that the most recent time stamps for updates under Security Services > Anti-Spam are from within the last 2 hours
- Check the Inbound Mail Policies for how IronPort Anti-Spam verdicts are handled. Make sure SPAM positive and suspect messages are dropped or quarantined in the default policy, and that all other policies either use the default behavior or deliberately override the default.
- Many spammers send emails to a high number of invalid addresses, so blocking senders who send to invalid recipients can also decrease spam.
- If LDAP accept is already on, make sure Directory Harvest Protection (DHAP) is also configured for each inbound listener with maximum invalid attempts between 5 and 10 per IP.
- Review the following article on LDAP Accept
How to use LDAP Accept Query to validate the recipients of inbound messages using Microsoft Active Directory (LDAP)?Knowledge Base Answer ID: 156http://tools.cisco.com/squish/4680c
- Please refer to "How do I report IronPort Anti-Spam false positives or missed spam?", which details how to submit messages and verify that submissions to these addresses are in the correct format (i.e. MIME attachments of complete un-mangled messages with full headers). See "How do I create RFC-822 MIME encoded attachments? " for more details
http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf
http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_Configuration_Guide.pdf
http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_AdvancedGuide.pdf
http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_CLI_Reference_Guide.pdf
Hope this helps.
Regards,
Stephan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2013 10:47 AM
Federico,
You can also reach the PDI team for this kind of questions. PDI was developed to assist Cisco Partners on the Planning, Designing and Implementing phase.
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
