I'm trying to figure out how to handle a case that I have here with Spam Quarantine and invalid-recipient.
Basically, when a mail is sent to an invalid recipient , my ironport boxes drops it (using smtp routes to /dev/null) for non existing aliases.
But when this particular piece of mail contains spam, it get to spam quarantine before being dropped. And now, my spam quarantine is containing 1.5M emails and sending more than 180k mail notificication to most of the time invalid user.
Is there ways besides ldap recipient checking to drop this kind of messages ?
I checked the Trace message option, and it looks like the website sending this DHA have bad reputation. They are in my Throttled policy.
What is the recommended setting for invalid recipient per hour for this kind of policy. Obviously, i'd like to drop the maximum amount of email coming from this IP
If you are just starting with Threat Response for the first time, use our quick start guides for Umbrella, Email Security, or Firepower. You can also check out our module configuration videos on YouTube and the in-produ...
If you own AMP for Endpoints, you can manage users within the AMP dashboard. If you have other Cisco products, you can manage users at https://castle.amp.cisco.com/my/users.
Learn more about Threat Response here, or check out other FAQs he...
Threat Response is free with selected Cisco Security products. To get access, simply go to the login page for your region - NA, EU, or APJC* - and either log in or click to create an account. You can also watch this 1 min v...
Threat Response is not a SIEM, but it can work alongside a SIEM to speed up investigations. For instance, via the browser plugins, Threat Response provides additional response capabilities directly from within the web-based interfaces of a SIEM.