I am receiving TONS of complaints since upgrading to 9.6.0-051 that SPAM is being allowed through dramatically. I am lowering the SPAM thresholds for our clients (MAIL POLICIES) all the time now (and we have hundreds of clients).
Has anything happened with the latest release of AsyncOS that has screwed up the SPAM scanning engine or is there something new that needs to be done? This is crazy how much SPAM is getting through now.
Which version were you running before? I would suggest to open a TAC ticket as soon as possible, and to submit as much missed spam as you can. You can either use the Outlook Plugin to submit, or you can send missed spam as attachment to email@example.com. Please don't just forward messages, as that doesn't include the headers and connection information our spam analysis engines need.
9.6.0-049 (previous official release). I keep them updated as they are released to the general public. I already have a TAC case open. I was more wondering if something changed fundamentally with the SPAM scanning engines or the rules. I download the rules often when I see they are out of date even though they are set to download and apply every hour.
No, nothing changed - usually it wouldn't change between two minor revisions. I would suspect something went wrong with your rulesets - I'm just speculating here, you should really talk to TAC and potentially ask for escalation to an Escalation Engineer.
Normally I would agree with you except I already have a TAC case open and went through the SPAM ruleset and no issues were found.
What seems to be fixing the issue is changing the 80/40 (Positively/Suspect) to 70/30 but its a pain to do for every client (over hundreds) on two clusters with the wonderful speed of the GUI (web frontend) taking 5 minutes to open each client.
That's definitely not normal behavior - make sure you get it thoroughly investigated and escalated as necessary. Reach out to your Cisco Security Consulting Systems Engineer for advice and monitoring of the ticket.
Thanks for your patience :)
TAC escalation did indeed find the SPAM CORE definitions were not in date EVEN though they show current in the GUI. Apparently they broke at point of upgrade and never actually applied since the upgrade even though they were going out to Cisco's site and pulling them down.
Thanks Cisco, another great job on your software!