cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
810
Views
0
Helpful
3
Replies
Beginner

Phishing protections in ESA

We had a recent incident that spurred questions about what the IronPort X1070 ESAs can do for us to mitigate the flow of phishing emails being received by our customers. One such example is included from our logs below. In particular, two
lines indicate that it was identified as phishing:

Info: MID 219519484 Outbreak Filters: verdict positive
Info: MID 219519484 Threat Level=2 Category=Phish Type=Phish


Our Outbreak filters are set at the recommended default of 3. Is that why this wasn't acted upon? We use the Anti­Spam filtering for incoming email and tag threats with a special header so that such messages are sent to an Exchange user's Junk folder, or detected and flagged as spam by clients. However, there are no specific options for phishing threats under the Anti-Spam Settings.

We are not employing URL filtering at this time.

I have looked over the user guide, config and advanced config guides but I am not finding what I consider to be an optimal solution for our environment. Ideally, we might want to tag the messages with a special header, like we do with spam. Can you make some suggestions on how we might use the ESAs to deal with the phishing emails, starting with analyzing how we could have addressed the example provided?

Thanks,

Tim

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Outbreak Filters defaults to

Outbreak Filters defaults to Threat Level = 3, but can be adjusted from 1 to 5. 5 is the least aggressive setting while 1 is the most aggressive.

Setting it to a 2 or 1 would have caused OF to act upon the message, but this sets the feature to a more aggressive mode which means you may have more false positives.

 

Thanks,

Raymond

3 REPLIES 3
Cisco Employee

Outbreak Filters defaults to

Outbreak Filters defaults to Threat Level = 3, but can be adjusted from 1 to 5. 5 is the least aggressive setting while 1 is the most aggressive.

Setting it to a 2 or 1 would have caused OF to act upon the message, but this sets the feature to a more aggressive mode which means you may have more false positives.

 

Thanks,

Raymond

Beginner

Thanks, Raymond. That was my

Thanks, Raymond. That was my understanding as well.

Highlighted

Re: Outbreak Filters defaults to