Submit messages from IronPort

BrianBrehart22083 · ‎03-11-2020

Is there a way to submit suspect messages to Cisco directly from IronPort? It can be difficult to get a copy of a suspect message for submitting to the various e-mail addresses, and it would be a lot more efficient if we could just submit from IronPort.

Cheers

ppreenja · ‎03-11-2020

Hi BrianBrehart22083,

Unfortunately, we can't submit email samples from Ironport appliance directly as the appliance doesn't hold any copy of the email passing via the appliance and there are only three below methods to submit email samples to Cisco:

Cisco Email Security Plug-in
Cisco Email Submission and Tracking Portal
Direct Email Submission

Please refer below links for more details:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214133-how-to-submit-email-messages-to-cisco.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200648-ESA-FAQ-How-to-work-with-Cisco-Email-Su.html

However, for the messages in spam quarantine you get below option:
"Notify Cisco Upon Message Release: [ ] Send a copy of released messages to Cisco for analysis(recommended)"

There is a checkbox option that you need to select so that when emails are released from spam quarantine then a copy is directly submitted to Cisco.

I hope the above information helps!

Cheers,
Pratham

Doug Maxfield · ‎03-12-2020

If you are talking about Spam message, you can turn on an option that will save a copy in the ASARCHIVE directory. Then all you need to do is open a TAC with the message tracking and enable Remote Access. Then they can connect to your appliance/cloud environment and get a copy of the message to send to TALOS. See attachment.