Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1211
Views
10
Helpful
3
Replies

Getting a massive amount of spam out of no where

BubbaFret
Level 1
Level 1

‎11-05-2019 09:55 AM - edited ‎11-05-2019 09:59 AM

I have ESA virtual appliances running the latest version.

Out of nowhere, certain users are getting flooded with spam (100/hr)

From what I can see it is all classified as graymail/marketing.


Right now I take no action on Bulk/Marketing/Social emails to reduce false positives.  If I turn bulk/marketing on, in the past I would have all kinds of legitimate messages blocked.  

 

What is everyone running for graymail settings, and is anyone else getting flooded?

I've always had a problem with spam and have had Cisco look at our settings a ton of times in the past.

Labels:
0 Helpful
3 Replies 3

marc.luescherFRE
Spotlight
Spotlight

‎11-06-2019 12:44 AM

Hi there,

 

as you have already experienced there is no easy answer to greymail. Based on 10+years of attempts to fine tune the settings we have settled on the following approach:

 

a) for every of the 3 types bulk, social and marketing we added an x-header so we can better understand what is going on

b) for each of the x-headers we have created a seperate policy quarantine to keep a copy of the messages for ongoing analysis

c) for marketing we have set the default to sent to the end user SPAM quarantine

d) for social and bulk we still deliver as is.

e) to prevent from abusers or massive spammers we have created two policies, one which is our manual blacklist and is used to add abusers so they are blocked for good, the other one is the whitelist policy called Trusted Senders and Systems so we can bypass our default greymail settings should there be a valid business need or we get false positives in our PVOs.

 

I hope this helps and gives you some ideas,

 

-Marc

Mathew Huynh
Cisco Employee
Cisco Employee

‎11-06-2019 05:43 PM

Hey Bubba,

 

To add ontop of what Marc shared; typically marketing emails are coming from known sources or businesses and generally considered more of an 'expected' subscribed business or mailer.


Whereas bulk can come from other mail-list services which are not as well known or lesser; if on your greymail engine you're seeing a lot of BULK; consider if they are really legitimate and perhaps put them into spam quarantine if not.

 

Regards,

mathew 

0 Helpful

BubbaFret
Level 1
Level 1
In response to Mathew Huynh

‎11-06-2019 05:46 PM - edited ‎11-06-2019 05:47 PM

What I am finding by prepending tags on the subject line are both produce false positives.  Emails that users have subscribed to and want to receive are being tagged as Marketing or Bulk.  Having to then go and whitelist everything is counter productive.

0 Helpful
Customers Also Viewed These Support Documents