Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5512
Views
5
Helpful
3
Replies

ESA false positives and SPAM verdict

maraz
Level 1
Level 1

‎12-02-2017 04:09 AM - edited ‎03-08-2019 07:29 PM

A customer of mine thinks there is a lot of false positives regarding their current ESA solution. Version is/was 9.7.X. Also, they would like to now why a mail is classified as SPAM not just the SBRS.

Labels:
0 Helpful
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

‎12-02-2017 06:57 AM

From the end user guides anti-spam working is defined below:

 

IronPort Anti-Spam addresses a full range of known threats including spam, phishing and zombie
attacks, as well as hard-to-detect low volume, short-lived email threats such as “419” scams. In addition, IronPort Anti-Spam identifies new and evolving blended threats such as spam attacks distributing malicious content through a download URL or an executable.

 

To identify these threats, IronPort Anti-Spam examines the full context of a message-its content,
methods of message construction, the reputation of the sender, the reputation of web sites advertised in the message, and more. IronPort Anti-Spam combines the power of email and web reputation data,
leveraging the full power of the world's largest email and web traffic monitoring network — SenderBase
— to detect new attacks as soon as they begin.


IronPort Anti-Spam analyzes over 100,000 message attributes across the following dimensions:
• Email reputation — who is sending you this message?
• Message content — what content is included in this message?
• Message structure — how was this message constructed?
• Web reputation — where does the call to action take you?

 

Analyzing multi-dimensional relationships allows the system to catch a broad range of threats while
maintaining accuracy. For example, a message that has content claiming to be from a legitimate financial institution but that is sent from an IP address on a consumer broadband network or that contains a URL hosted on a “zombie” PC will be viewed as suspicious. In contrast, a message coming from a pharmaceutical company with a positive reputation will not be tagged as spam even if the message contains words closely correlated with spam.

 

If there are false positives for the anti-spam engine you can submit the email sample as an attachment to ham@access.ironport.com.

 

Regards,

Libin Varghese

maraz
Level 1
Level 1
In response to Libin Varghese

‎12-02-2017 08:45 AM

The problem is that the customer has many many false positives end it would ease the burden to get a more precise verdict så they maybe can tune their . Also, they are dealing with classified information so they are reluctant to send any information to Cisco. 

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to maraz

‎12-02-2017 03:41 PM

The anti-spam rules are published and maintained globally so it cannot be modified for a single appliance.

 

If there are multiple false positives the customer can bypass anti-spam scanning for trusted senders.

 

If the scanning thresholds are set to default under Mail Policies - > Incoming Mail Policies (90 for positive spam and 50 for suspect spam) then submitting the email samples would be the only way to get the rules updated accurately.

 

Regards 

Libin Varghese 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents