cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

7605
Views
0
Helpful
3
Replies
Andres Bohren
Beginner

How to test the Central Spam Quarantine on M670?

Hi all,

We have two new Ironport C370. I want to test the Central SpamQuarantine on the M670.

How can i flag or tag a Message, so that this is transfered to the Central Spam Quarantine?

Is there a way with a Message Filer?

Regards

Andres

3 REPLIES 3
Andres Bohren
Beginner

Hi all,

I have created an Incoming Content Filter
BOA_Quarantine  BOA_Quarantine: if (mail-from == a.bohren@somwhere.com) { insert-header("X-Ironport-Quarantine", "Quarantine"); }

i created a Inconming Mail Policy "test_SPAM_BOA" witch uses incoming Content Filter "BOA_Quarantine"  

And this is what is on the Message Tracking Log
01 May 2012 22:30:06 (GMT +02:00)  Message 6 matched per-recipient policy test_SPAM_BOA for inbound mail policies. 
01 May 2012 22:30:06 (GMT +02:00)  Message 6 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 
01 May 2012 22:30:06 (GMT +02:00)  Message 6 scanned by Anti-Virus engine. Final verdict: Negative 
01 May 2012 22:30:06 (GMT +02:00)  Message 6 queued for delivery. 
01 May 2012 22:30:08 (GMT +02:00)  Remote procedure call connection (RCID 81) started for message 6 to local Spam Quarantine. 
01 May 2012 22:30:09 (GMT +02:00)  Message 6 quarantined in Spam Quarantine. 


Seems to be, that the Message goes to the Local Spam Quarantine instead of the Central Quarantine on M670. Any Ideas?

Regards Andres

Hi all,

I think i found the Answer

The local Quarantine on the C370 has to be disabled.

03 May 2012 02:43:35 (GMT +02:00)  Start message 8 on incoming connection (ICID 27). 

03 May 2012 02:43:35 (GMT +02:00)  Message 8 enqueued on incoming connection (ICID 27) from

A.Bohren@source.com

03 May 2012 02:43:35 (GMT +02:00)  Message 8 on incoming connection (ICID 27) added recipient (

andres.bohren@target.com

). 

03 May 2012 02:43:35 (GMT +02:00)  Message 8 contains message ID header '<

8B7839D15D4B244291456383B03369CC5DF6801C@ICESRV01.source.com>'

03 May 2012 02:43:35 (GMT +02:00)  Message 8 original subject on injection: Test SPAM 03.05.2012 02:41 

03 May 2012 02:43:35 (GMT +02:00)  Message 8 (7695 bytes) from

A.Bohren@source.com

ready. 

03 May 2012 02:43:35 (GMT +02:00)  Message 8 matched per-recipient policy test_SPAM_BOA for inbound mail policies. 

03 May 2012 02:43:35 (GMT +02:00)  Message 8 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 

03 May 2012 02:43:35 (GMT +02:00)  Message 8 scanned by Anti-Virus engine. Final verdict: Negative 

03 May 2012 02:43:35 (GMT +02:00)  Message 8 queued for delivery. 

03 May 2012 02:44:35 (GMT +02:00)  (DCID 87) Delivery started for message 8 to

andres.bohren@target.com

to offbox Spam Quarantine 

03 May 2012 02:44:35 (GMT +02:00)  (DCID 87) Delivery details: Message 8 sent to

andres.bohren@target.com

delivered to external ISQ. 

03 May 2012 02:44:35 (GMT +02:00)  Message 8 to

andres.bohren@target.com received remote SMTP response 'ok: Message 4 accepted'.

03 May 2012 03:06:05 (GMT +02:00)  Start message 9 on incoming connection (ICID 28). 

03 May 2012 03:06:05 (GMT +02:00)  Message 9 enqueued on incoming connection (ICID 28) from

A.Bohren@source.com

03 May 2012 03:06:05 (GMT +02:00)  Message 9 on incoming connection (ICID 28) added recipient (

andres.bohren@target.com

). 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 contains message ID header '<

8B7839D15D4B244291456383B03369CC5DF6805C@ICESRV01.corp.icewolf.ch>'

03 May 2012 03:06:06 (GMT +02:00)  Message 9 original subject on injection: SPAMTEST 03.05.2012 03:05 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 (7693 bytes) from

A.Bohren@source.com

ready. 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 matched per-recipient policy DEFAULT for inbound mail policies. 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 encountered CASE down (1/10). Retry scanning in 12 seconds. 

03 May 2012 03:06:26 (GMT +02:00)  Message 9 scanned by Anti-Spam engine: CASE. Interim verdict: Positive 

03 May 2012 03:06:26 (GMT +02:00)  Message 9 scanned by Anti-Spam engine: CASE. Final verdict: Positive 

03 May 2012 03:06:26 (GMT +02:00)  Message 9 aborted: Dropped by CASE 

03 May 2012 02:43:35 (GMT +02:00)  Start message 8 on incoming connection (ICID 27). 
03 May 2012 02:43:35 (GMT +02:00)  Message 8 enqueued on incoming connection (ICID 27) from A.Bohren@source.com
03 May 2012 02:43:35 (GMT +02:00)  Message 8 on incoming connection (ICID 27) added recipient (andres.bohren@target.com). 
03 May 2012 02:43:35 (GMT +02:00)  Message 8 contains message ID header '<8B7839D15D4B244291456383B03369CC5DF6801C@ICESRV01.source.com>'
03 May 2012 02:43:35 (GMT +02:00)  Message 8 original subject on injection: Test SPAM 03.05.2012 02:41 
03 May 2012 02:43:35 (GMT +02:00)  Message 8 (7695 bytes) from A.Bohren@source.com ready. 
03 May 2012 02:43:35 (GMT +02:00)  Message 8 matched per-recipient policy test_SPAM_BOA for inbound mail policies. 
03 May 2012 02:43:35 (GMT +02:00)  Message 8 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 
03 May 2012 02:43:35 (GMT +02:00)  Message 8 scanned by Anti-Virus engine. Final verdict: Negative 
03 May 2012 02:43:35 (GMT +02:00)  Message 8 queued for delivery. 
03 May 2012 02:44:35 (GMT +02:00)  (DCID 87) Delivery started for message 8 to andres.bohren@target.com to offbox Spam Quarantine 
03 May 2012 02:44:35 (GMT +02:00)  (DCID 87) Delivery details: Message 8 sent to andres.bohren@target.com delivered to external ISQ. 
03 May 2012 02:44:35 (GMT +02:00)  Message 8 to andres.bohren@target.com received remote SMTP response 'ok: Message 4 accepted'.

For testing if SPAM Messages are blocked - this test can be made with GTUBE - Generic Test for Unsolicited Bulk Email http://spamassassin.apache.org/gtube/

Just insert this String into a Message

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

03 May 2012 03:06:05 (GMT +02:00)  Start message 9 on incoming connection (ICID 28). 

03 May 2012 03:06:05 (GMT +02:00)  Message 9 enqueued on incoming connection (ICID 28) from

A.Bohren@source.com

03 May 2012 03:06:05 (GMT +02:00)  Message 9 on incoming connection (ICID 28) added recipient (

andres.bohren@target.com

). 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 contains message ID header '<

8B7839D15D4B244291456383B03369CC5DF6805C@ICESRV01.corp.icewolf.ch>'

03 May 2012 03:06:06 (GMT +02:00)  Message 9 original subject on injection: SPAMTEST 03.05.2012 03:05 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 (7693 bytes) from

A.Bohren@source.com

ready. 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 matched per-recipient policy DEFAULT for inbound mail policies. 

03 May 2012 03:06:06 (GMT +02:00)  Message 9 encountered CASE down (1/10). Retry scanning in 12 seconds. 

03 May 2012 03:06:26 (GMT +02:00)  Message 9 scanned by Anti-Spam engine: CASE. Interim verdict: Positive 

03 May 2012 03:06:26 (GMT +02:00)  Message 9 scanned by Anti-Spam engine: CASE. Final verdict: Positive 

03 May 2012 03:06:26 (GMT +02:00)  Message 9 aborted: Dropped by CASE 

Works like a charm

Regards

Andres

Good to know, and glad you figured it out, we will be doing something similar with our C660 and our M650. 

Do you have the steps you need to take on both appliances to make this work?