Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1393
Views
0
Helpful
4
Replies

Ironport receiving alot of emails

sarahddin
Level 1
Level 1

‎05-25-2013 04:44 AM

Ironport is receiving alot of emails to alot of users in organization in a short period of time from a specific sender ,the sender group matches suspect in all ways but some emails are quarantined and some emails are passing as showed  in the message tracking, i have checked the suspect action  and by default are sent to quarantine.

why are these emails passing through ??

Labels:
0 Helpful
4 Replies 4

Alvaro J Gordon-Escobar
Cisco Employee
Cisco Employee

‎05-25-2013 05:16 AM

Hello Sarah,

The reason some of the samples are not quarantined and some are is not due to the Sender Group matching, but instead it is due to the spam verdict of the samples.  Some were seen as clean (could not be identified as spam), and some were seen as suspect spam.  The ones that made it, were not identified as spam, while the others were suspect, so the unit sent them to the quarantine.

When you said, "the sender group matches suspect in all ways",  this refers to the email entering the appliance.  The actual SMTP session ariving at the doorway of the Cisco  Email Security Gateway.  The doorway to the unit has  several sendergroups,  these Accept, Reject, Relay or TCPrefuse the SMTP connections.   The samples came in via the Suspect Sendergroup, which accepts the emails, albeit throttled. 

Once in the appliance,  the emails are scanned by AS and AV (plus message and content filters, if those are enabled)

When you said,   "i have checked the suspect action  and by default are sent to quarantine. why are these emails passing through ??"  This refers to what the antispam is configured to do when a sample is suspect.  If it spam positive, it would normally drop it, however many customers choose to quarantine these, and review them later.  When the sample is suspect, by default it will be sent to the quarantine.  The --Suspect-- verdict  by Antispam and the -Suspect sender group matching-- are not related.   So, while they all came in via the suspect sender group,  not all were found to be spam suspect by the antispam enigne.

hopes this clears it up.

Cheers,

-Alvaro

0 Helpful

sarahddin
Level 1
Level 1
In response to Alvaro J Gordon-Escobar

‎05-25-2013 07:02 AM

Thank you Alvaro , you understood me correctly i agree on what you wrote.

that's true not all found to be spam suspect by the antispam engine, sometimes the scanning was Negative and sometimes suspect for the same sender. even the antispam is enabled for all incoming mail policies. is it a missed spam issue that i should submit ?

0 Helpful

Alvaro J Gordon-Escobar
Cisco Employee
Cisco Employee
In response to Alvaro J Gordon-Escobar

‎05-25-2013 07:48 AM

Hi Sarah,

Yes, I would submit the samples to spam@access.ironport.com.   If the samples were truly spam, them please send them to us.  Also, enabled Senderbase sharing.  This will help to lower with the SBRS of the sender to push it to negative, and just block the session as it connect to the appliances. 

email.example.com> senderbaseconfig

Share limited data with SenderBase Information Service: Disabled

Choose the operation you want to perform:

- SETUP - Configure SenderBase Network Participation settings

[]> setup

Do you want to share statistical data with the SenderBase Information

Service (recommended)? [Y]>

Submitting samples to Cisco-- Missed Spam, or False Positives

Article #471: How do I report Cisco IronPort Anti-Spam false positives or missed spam? Link: http://tools.cisco.com/squish/Fd51F

Cheers,

Alvaro

0 Helpful

sarahddin
Level 1
Level 1
In response to Alvaro J Gordon-Escobar

‎05-25-2013 09:04 AM

thanks alot for help , i will do so .

Regards

0 Helpful
Customers Also Viewed These Support Documents