Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3889
Views
5
Helpful
2
Replies

How do you view the suspected spam score in ESA?

keithsauer507
Level 5
Level 5

‎07-11-2016 12:38 PM

Hello, sorry if this is the wrong format, asking a question isn't an option, so the only other option with a title and body text control is create a blog. 

I have email from a title company that sends us signed mortgage documents from "Proofpoint Essentials on behalf of"@storage1.at1.mdlocal

The Reply-To address is do-not-reply@proofpointessentials.com

The message is a link to an online site to view the encrypted contents.  I've heard of Proofpoint, basically they have a competing product to Cisco IronPort ESA.  Anyway the end user at our organization never recieves the email.  Instead it goes to Suspected Spam quarentine.  I can view the message details but nowhere does it say the current suspected spam score.  Currently we have suspected spam score set to 40.  I'm not sure how low I need to adjust it in order for me to get these messages through.  Any idea's how to stop this from going to suspected spam?

Labels:
0 Helpful
2 Replies 2

zalali
Cisco Employee
Cisco Employee

‎07-12-2016 01:07 AM

Keith,

As far as I understand, a HAM email was quarantined as a suspect  spam and you want to know if there's a way to view the message score to adjust the CASE thresholds on the matched policy to guarantee receiving this email.

The message score is not logged on the ESA, and although you can adjust the CASE score thresholds, it's not recommended to make it too aggressive to avoid false results. If you want to adjust the threshold you have to be careful, most of the times up to 10 pts should be enough (40-80).

Moving on, you can report these misclassified messages to our anti-spam team to analyze and publish new CASE rules to rectify the issue. Here's an article showing how to report misclassified spam messages: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117822-qanda-esa-00.html

Regards,

Zaid Al-Ali

keithsauer507
Level 5
Level 5
In response to zalali

‎07-12-2016 11:39 AM

Thanks for the link, that is definitely one to bookmark for these situations.  Currently we are set to 40 for suspected spam and 80 for positively identified spam.  Ocasionally we will get a random email with jibberish in it (like a bunch of random thoughts in random sentence that make no sense at all).  So I think doing anything to relax the spam filters would be a step in the wrong direction.  So I have it being analyzed by a Cisco TAC support engineer right now.

On another note why isn't the score listed in message tracking or even in a column in any of the Spam quarantines?  No that would be too easy wouldn't it?  Is anyone from Cisco here able to throw this into the software development ideas for future releases?

Also I have an issue with a particular company going into a quarantine queue due to DMARC verification failed.  I want DMARC on but don't want this one particular company filtered in (we have to manually go in this queue every few hours and release any messages).  It doesn't say WHY DMARC failed, do you know how to tell?  I went to dmarcian.com and checked this vendors dmarc record and its a valid dmarc txt record, so I'm not sure who to contact and with what information.

0 Helpful
Customers Also Viewed These Support Documents