cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1534
Views
0
Helpful
2
Replies

Incoming mail policy for porn mail

araudevain
Level 1
Level 1

HI,

A lot of pornographic mails are passing through our C370 and users send them back to me in a special mailbox.

I would like to create an incoming mail policy and add all the incoming domain of the pornographic mail to drop them afterwards.

I think it's going to be a long list of domain after a while and I was wondering if the C370 was going to be able to handle this and also if that was a good way to do it.

Any advice

Thank you

Arnaud

1 Accepted Solution

Accepted Solutions

Hello Arnaud,

You should be able to do this without too much difficulty however that is going to depend on how many domains your talking about.  Placing the domains or a list of domain into a policy as you described would not create and form of extreme load on the appliance however if you have a very large list containing hundreds of domains this could become somewhat difficult to manage.  The bigger question to ask here is why are the messages getting in to start with. It would be much for advantageous to let the appliance do the work for you.   While image analysis does exist this method of scanning is somewhat new so relying upon that alone may not be the best option. Typically the messages that include this type of media originate from IP addresses that already have a poor SBRS score. These messages also typically include content that would be flagged as spam.

I would recommend a review of the messages your seeing using the mail logs and the message data, as well as your configuration. If this is not due to a configuration issue and your antispam signatures are up to date, the next step would be getting copies of these messages submitted to us for further analysis.

How do I report IronPort Anti-Spam false positives or missed spam?

To  send a missed spam or message incorrectly marked as "not-spam" email to  IronPort Systems for examination, there are a number of ways to submit  messages.

  • Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
  • For  customers using clients other than Microsoft Outlook, go to your email  program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
  • (NOTE: All  submitted messages must be in the RFC 822 format and ONLY that format.   Any other formats (such as S/MIME) are currently not compatible with  the submission tool.)

Note: Unless submitted through a  plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be  RFC-822 compliant attachments. Forwards of previously forwarded  messages cannot be processed at this time.

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once  we receive submissions from a customer or from other sources, these  messages are passed through automated classification systems that makes  use of our latest rule set. If these messages are tagged by the new  rule-set as spam, they are classified as such. Due to a delay in  receiving samples and generating rules, many of the missed-spam messages  usually have rules published between the time they are received by our  customers and reported to us.

There are some messages that are  part of new spam trends or new variants that are sufficiently different  or new spam strains that are not classified by automated systems.  Basically, any messages that are held for classification due to some  mitigating factors are held for human review. We attempt to get to these  messages within 2-3 hours of them being injested into the corpus.

Note:  Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort. 

Christopher C Smith
CSE

Cisco IronPort Customer Support 

View solution in original post

2 Replies 2

Hello Arnaud,

You should be able to do this without too much difficulty however that is going to depend on how many domains your talking about.  Placing the domains or a list of domain into a policy as you described would not create and form of extreme load on the appliance however if you have a very large list containing hundreds of domains this could become somewhat difficult to manage.  The bigger question to ask here is why are the messages getting in to start with. It would be much for advantageous to let the appliance do the work for you.   While image analysis does exist this method of scanning is somewhat new so relying upon that alone may not be the best option. Typically the messages that include this type of media originate from IP addresses that already have a poor SBRS score. These messages also typically include content that would be flagged as spam.

I would recommend a review of the messages your seeing using the mail logs and the message data, as well as your configuration. If this is not due to a configuration issue and your antispam signatures are up to date, the next step would be getting copies of these messages submitted to us for further analysis.

How do I report IronPort Anti-Spam false positives or missed spam?

To  send a missed spam or message incorrectly marked as "not-spam" email to  IronPort Systems for examination, there are a number of ways to submit  messages.

  • Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
  • For  customers using clients other than Microsoft Outlook, go to your email  program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
  • (NOTE: All  submitted messages must be in the RFC 822 format and ONLY that format.   Any other formats (such as S/MIME) are currently not compatible with  the submission tool.)

Note: Unless submitted through a  plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be  RFC-822 compliant attachments. Forwards of previously forwarded  messages cannot be processed at this time.

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once  we receive submissions from a customer or from other sources, these  messages are passed through automated classification systems that makes  use of our latest rule set. If these messages are tagged by the new  rule-set as spam, they are classified as such. Due to a delay in  receiving samples and generating rules, many of the missed-spam messages  usually have rules published between the time they are received by our  customers and reported to us.

There are some messages that are  part of new spam trends or new variants that are sufficiently different  or new spam strains that are not classified by automated systems.  Basically, any messages that are held for classification due to some  mitigating factors are held for human review. We attempt to get to these  messages within 2-3 hours of them being injested into the corpus.

Note:  Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort. 

Christopher C Smith
CSE

Cisco IronPort Customer Support 

Christopher,

Thanks for your answer.

I think I might use content filters associated with a dictionnary contening spécific words found in pornographic mails

Thanks

Regards

Arnaud