|Email Plug-in (Reporting):||184.108.40.206|
|Email Plug-in (Encryption):||220.127.116.11|
We have a ESA running 12.5.
Our setup is:
Incoming mail from Internet are scanned for Spam /AV etc... and with the use of a Message filter are routed (alt-mailhost) to another SMTP host for decrypting if needed.
Then email are coming back to the ESA on another listener, rescaned and either sent to Spam Quarantine or delivered to interne mailbox if clean.
We observed strange thing:
From time to time, email enter the ESA are detected as clean by the ESA , are sent to the alt-mailhost and are tagged as spam when coming back...
Other time it is the opposite: email are detected as spam, then are routed to alt-mailhost (because alt-mailhost override spam quarantine) and when back they are not detected as spam and are delivered to end user with the Prepend Subject.
It is as if the alt-mailhost changes the spam verdict.
Any ideas to get something reliable?
There are a few areas which could be investigated but let me demonstrate the way we are setting it up:
a) if mail comes in we check for an X-header like X-Appliance=processed
if the header is not there sent to appliance either via alt mailhost
b) should the header be present we bypass spamcheck etc.
That should do the trick.
Sounds good, but the problem is that the Spam Quarantine will never be trigered when email come back from alt mailhost if we bypass Spam Check.
The Spam quarantine can be an action only when email come back because the first time the emails go through the ESA they are routed to alt-mail host (even if SPam check is positive, because the action alt-mailhost overrides Spam Quarantine).
Thanks for your message.
I have opened a Cisco TAC.
As stated, the alt-mailhost action in a message filter takes precedence over Spam Quarantine,
From the message tracking, it was said that because the email has the same message-ID header, and because the ESA sees the same message within a few seconds it taggs the message as SPAM.
What I have done:
- The first time the message enters the ESA, I had a custom Header when message is tagged as SPAM or Suspect, Market....
- I had a new message filter on the Private Listener (when message comes back from alt-mailhost) and checking for the custom header. If the header is here (meaning the Spam check was already done the first time), I had the X-Ironport-Spam-Quarantine header so that email are sent to ISQ
- Also I disable SpamCheck on the private listener in the Mail Flow Policy.
That way it will not analyze twice the emails and keep the first verdict which is the "good" one.