Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
5
Helpful
3
Replies

ESA SPAM Message Inquiry

Mady
Level 4
Level 4

‎04-04-2017 06:18 PM

Hi,

We have 6 spam messages for 24 hours however when we check it on message tracking with envelope sender as our domain (ex. sampledomain.com) only 3 messages appeared and it shows below:

Sender: 1234-45678-0987-lbriley=sampledomain.com@mail.endottak.us

Recipient: lbriley@sampledomain.com

Can you explain what does lbriley=sampledomain.com at the sender? Also, why does message tracking only shows 3 instead of 6 since ESA reported that it has 6 spam messages.

Thanks in advance!

Regards,

Mady

Labels:
0 Helpful
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

‎04-05-2017 05:46 AM

Hi Mady,

Messages reported in the Overview and Incoming Mail pages are categorized as follows:

• Stopped by Reputation Filtering: All connections blocked by HAT policies multiplied by a fixed multiplier (see Notes on Counting Messages in Email Security Monitor) plus all recipients blocked by recipient throttling.
• Invalid Recipients: All recipients rejected by conversational LDAP rejection plus all RAT rejections.
• Spam Messages Detected: The total count of messages detected by the anti-spam scanning engine as positive or suspect and also those that were both spam and virus positive.
• Virus Messages Detected: The total count and percentage of messages detected as virus positive and not also spam.

Note If you have configured your anti-virus settings to deliver unscannable or encrypted messages, these messages will be counted as clean messages and not virus positive. Otherwise, the messages are counted as virus positive.

The address 1234-45678-0987-lbriley=sampledomain.com@mail.endottak.us is the envelope sender provided to the ESA by the sending server. The ESA is a relay appliance which processes the email headers as is provided so you would need to check on the sending server as to why such an email address was provided.

Thank You!
Libin Varghese

0 Helpful

Mady
Level 4
Level 4
In response to Libin Varghese

‎04-05-2017 06:18 AM

Hi Libin,

Thanks for your reply. I already checked the server which sent that email and it has poor reputation. However, I am just curious why that mail server used an email sender that seems to be from our internal domain. How do they know which users are available on our domain that they're able to use it as a spam message.

Thanks for helping me. :)

Regards,

Mady 

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to Mady

‎04-05-2017 06:35 AM

I've normally seen this on subscription emails or automated marketing emails which are generated as a result of URLs subscribed to by email users.

Reviewing the email content or subject should confirm this and also provide options to unsubscribe.

- Libin V

Customers Also Viewed These Support Documents