cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
727
Views
10
Helpful
4
Replies
Highlighted
Beginner

ESA stange behaviour with SPAM detection when using alt-mailhost

Hello,

We have a ESA running 12.5.

Our setup is:

Incoming mail from Internet are scanned for Spam /AV etc... and with the use of a Message filter are routed (alt-mailhost) to another SMTP host for decrypting if needed.

Then email are coming back to the ESA on another listener, rescaned and either sent to Spam Quarantine or delivered to interne mailbox if clean.

 

We observed strange thing:

From time to time, email enter the ESA are detected as clean by the ESA , are sent to the alt-mailhost and are tagged as spam when coming back...

Other time it is the opposite: email are detected as spam, then are routed to alt-mailhost (because alt-mailhost override spam quarantine) and when back they are not detected as spam and are delivered to end user with the Prepend Subject.

 

It is as if the alt-mailhost changes the spam verdict.

Any ideas to get something reliable?

 

Thanks

4 REPLIES 4
Highlighted
Enthusiast

There are a few areas which could be investigated but let me demonstrate the way we are setting it up:

 

a) if mail comes in we check for an X-header like X-Appliance=processed 

     if the header is not there sent to appliance either via alt mailhost

b) should the header be present we bypass spamcheck etc.

 

That should do the trick.

 

-Marc

 

 

Highlighted

Hello Marc,

Sounds good, but the problem is that the Spam Quarantine will never be trigered when email come back from alt mailhost if we bypass Spam Check.

The Spam quarantine can be an action only when email come back because the first time the emails go through the ESA they are routed to alt-mail host (even if SPam check is positive, because the action alt-mailhost overrides Spam Quarantine).

 

Highlighted
Cisco Employee

Hey Roman,

This is curious.
Typically if you have marked alt-mailhost at message filter, all emails will be tagged - this much is true; and if marked to be sent to the quarantine, typically the quarantine flag should take precedence over the first alt-mailhost flag set.

However in the event it's not and it goes to this alternate host for processing and sent back in, if there is a header inside the email inserted to be sent to quarantine, it would go there.

But there is one thing i would like to say and that would be to not double handle emails in this nature as if the email was sent out and having some spammy content to the alternate mail host, and the mail host sends it back in with the same content - the ESA would see the spammy content coming from the IP of the alternate host and could negatively impact it.

I believe there is some things that needs to be further reviewed, i believe a good starting point is if we could get the message tracking on the email on first pass, and also the same email reinjected back into the alternate listener to verify.
(having the message headers is also helpful).

-- I would suggest if sharing on the forum to remove any sensitive information, else contact Cisco TAC to work out why this behaviour is occurring.

Regards,
Mathew
Highlighted

Hi Mathew,

Thanks for your message.

I have opened a Cisco TAC.

As stated, the alt-mailhost action in a message filter takes precedence over Spam Quarantine,

From the message tracking, it was said that because the email has the same message-ID header, and because the ESA sees the same message within a few seconds it taggs the message as SPAM.

What I have done:

- The first time the message enters the ESA, I had a custom Header when message is tagged as SPAM or Suspect, Market....

- I had a new message filter on the Private Listener (when message comes back from alt-mailhost) and checking for the custom header. If the header is here (meaning the Spam check was already done the first time), I had the X-Ironport-Spam-Quarantine header so that email are sent to ISQ

- Also I disable SpamCheck on the private listener in the Mail Flow Policy.

 

That way it will not analyze twice the emails and keep the first verdict which is the "good" one.

 

Romain