cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1626
Views
0
Helpful
8
Replies

Couple of questions relating to Outgoing Mail and SPAM filtering

Jason Meyer
Level 1
Level 1

In the SPAM threshold settings, what are the 'default' values equal to?  I'm currently sitting at 89 for Suspected and 100 for Positive and still seeing false positives for Outgoing SPAM.

If I set the Outgoing policy to quarantine detected SPAM, who gets the notification?  The recipient, an external to our organization user?

Jason

8 Replies 8

Stephan Bayer
Cisco Employee
Cisco Employee

The defaults are 50/ Suspect and 90/Spam.

Notification is not enabled by default, you will have to setup a content filter to be notified.

If you are trying to stop all messages from being delivered, I'd recommend a content filter with an action of "drop" applied to a new mail policy that includes the problem senders. Then place that mail policy before the default policy.

Regards,

Stephan

Thanks for the 50/Suspect and 90/Spam defaults.

I'm not asking how to enable notifications, I'm asking for outbound e-mails, WHO do the notifications go to?

On incoming traffic, Notifications go to the recipients, internal users.

On Outgoing, does it go to the Sender?  The Recipient in most situations will be an external user.

Jason,

For outgoing mail there will be no spam notifications unless you set them up.

Go to Outgoing Mail Policies, check the AntiSpam action on default mail policy. On mine I show an action of "quarantine" for "positively identified spam" .

Check Suspect Spam

Check Marketing Mail

Repeat for your other outgoing mail policies

Then check your Quarantine Notification Settings

Quarantine Notification

  1. Set the End-User Authentication under Monitor->Spam Quarantine->Spam Quarantine to "None"
  2. Enable Spam Notifications in the same page
Doing this would enable the notifications at the scheduled time. The notication will be sent to the end-users and will have a link to the user's quarantine. Clicking on the link would not need any authentication and can release messages from there

Notifications will be sent only those people who has received new spam emails in their end user quarantine.

I hope this helps.


Stephan

In the example above, the recipient will not get notified. The sender of the positive spam will...

Jason,

For outbound email, when Outgoing Mail Policy is configured to quarantine messages with Anti-Spam engine, the notification (once enabled in the Quarantine settings and scheduled to be sent) will reach the recipient's inbox.

I believe you understand that if the external user cannot access the Web UI (Quarantine) on your ESA (due to firewall rules, for intance), then delivering the ISQ notification to the external user will be in vain.

I hope this helps. If so, please consider masking this question as anwered.

-Valter

So reading all of this, I think it may be better to just bounce detected SPAM to the Sender on the Outgoing mail flow.  In most situations this is an internal sender.  I do have some domains being forwarded from one system to another via outbound policies but I think I could write content filters to get around those.

Basically I just want to scan outbound e-mails (due to compromised accounts) and I want my internal users to be notified when mail they are sending is stopped.

I would think it would make more sense in a general configuration to notify senders on outgoing mail that is detected as SPAM.   Any chance of getting this changed or added as a configurable parameter?

Jason,

I personaly don't like notifying users (internal nor external) but it is your call. If you believe they will understand the notification and take correct actions it may worth trying.

You could, for instance, insert a header (for outbound messages) and during anti-spam scanning. Then later, in the content filters, you can check for the existence of that header and that will trigger a notification action, to whoever you want (sender, recipient, both, admins and so on).

I would advise you test this with specifc users, or test users before putting on production.

I hope this helps.

-Valter

In my environment I like to notify my internal users (18k) if I stopped their e-mail for any reason.  I agree I don't want to notify external users of issues tha they can't resolve anyway.

I still think by default, outgoing mail that is detected/quarantined as SPAM should notify the SENDER.  In most situations that will be an internal user.  It could even just go to the same Quarantine that the internal users already have access to.  I use LDAP calls with our Active Directory to give internal users access to the SPAM quarantine.

Thanks Valter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: