cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1969
Views
0
Helpful
1
Replies
john-copeland
Beginner

Spam email only quarantined by content filter not in ISQ

We have our C360 set up to quarantined positively identified spam. We also have various content filters.

Recently we have been getting emails which are positively identified as spam (as per message tracking), but they are then passed for processing to our content filters and match a content filter for adult content. The email is quarantined in our 'Adult' quarantine but not in the ISQ (Ironport Spam Quarantine).

Is this the expected action?

I thought that any email positively identified as spam would be quarantined in the ISQ and proceed no further, but it seems that email positively identified as spam is only quarantined in the ISQ if it does not match any other content filter.

This has the effect of sending out notification emails (as per our content filter setting) advising users that the spam email has been quarantined. We do not want to send notifications out for spam emails received

Is this is the usual chain of events? If I change the spam settings to drop positively identified spam will this prevent any further processing to content filters?

Any advice would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Andreas Mueller
Enthusiast

Hello John,

yes this is expected behavior, after scanning a message for spam and viruses the message will still go trough the normal workqueue. In your case I'd recommend the following:

1. Edit the Antispam settings in your mail policies. Set

'Positively-Identified Spam Settings' > 'Apply This Action to Message' to deliver.

2. Set 'Add Custom Header' to 'X-Ironport-Quarantine'.  The value can be anything. (i.e. True)

3. Create a Content Filter checking for this header, and if it exists, skip all following filters (Deliver). Or modify your existing filter not to match when that header exists.

Background:  Any message containing a X-Ironport-Quarantine header will be delivered to the spam quarantine instead the recipient destination. A quiet common way to redirect messages to that quarantine with a filter.

Hope that helps,

Andreas

View solution in original post

1 REPLY 1
Andreas Mueller
Enthusiast

Hello John,

yes this is expected behavior, after scanning a message for spam and viruses the message will still go trough the normal workqueue. In your case I'd recommend the following:

1. Edit the Antispam settings in your mail policies. Set

'Positively-Identified Spam Settings' > 'Apply This Action to Message' to deliver.

2. Set 'Add Custom Header' to 'X-Ironport-Quarantine'.  The value can be anything. (i.e. True)

3. Create a Content Filter checking for this header, and if it exists, skip all following filters (Deliver). Or modify your existing filter not to match when that header exists.

Background:  Any message containing a X-Ironport-Quarantine header will be delivered to the spam quarantine instead the recipient destination. A quiet common way to redirect messages to that quarantine with a filter.

Hope that helps,

Andreas

Create
Recognize Your Peers
Content for Community-Ad