Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Scanning outbound e-mails for SPAM

Unanswered Question
Dec 5th, 2013
User Badges:

So I have started to scan outgoing e-mails for SPAM and am intermittantly getting e-mails stopped that are not SPAM.   I've slowly increased the thresholds and am currently sitting at 100 for positive spam and 89 for suspected spam and still e-mails are getting stopped.

I don't really want to turn outgoing SPAM filtering off completely but also don't want to have to manually release these miss identified e-mails every morning.

Any suggestions?

I run two C670s and move about 100k e-mails in and 100k e-mails out of our environment.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nasir Abbas Sun, 12/08/2013 - 16:21
User Badges:
  • Cisco Employee,

Hi Jason,

There can be number of factors and AntiSpam team can provide the further information regarding what is making those message false positives. I will suggest to open a case with TAC and send couple of samples messages to [email protected].

You can also select the auto send a copy to AntiSpam portal by changing the configuration in GUI -> Quarantine -> Click edit  settings.

We will escalate the case to AntiSpam team.

Hope that information helps.



exMSW4319 Tue, 01/07/2014 - 09:39
User Badges:

Jason, I would be interested to hear if there is any malice involved. Do you have internal recipients trying to actually spam, or are they simply forwarding mails (possibly released from quarantine) to their home addresses or close friends? The fact that you are releasing them would rather suggest the latter.

If so, remember that you can make responses to your internal community that you can't to the external community. Automated responses that we would consider backscatter could be quite helpful to your internal recipients. At the very least, if Cisco can't adjust CASE to your liking then you might be able to brush the problem under the carpet with an automated "this e-mail breaks {organisation} policy - please re-draft".

I have a similar problem in the opposite direction with spam forwarded in from home addresses, but the mails simply sit in a quarantine until they are flushed. The recipients don't come looking for them, and I currently have a zero percent complaint rate on that score.

Jason Meyer Tue, 01/28/2014 - 11:23
User Badges:

NO malice is involved.  They are simple e-mails, often times with links to URLs that are legitimate. 

Sometimes they are forwards of [Suspected SPAM] that is allowed into their mailbox to an external recipient, this I can understand getting blocked, but a manually created e-mail with a few links to legitimate web sites I don't understand.

If the information isn't sensitive I will begin reporting them to the HAM address, often times it is sensitive.

Was just looking for what others were seeing and if outgoing spam scanning is on by default?

exMSW4319 Sat, 02/08/2014 - 13:29
User Badges:

Speaking for myself:

CASE: off

Outbreak: off

AV \ Repair: deliver*

AV \ Encrypted or Unscannable: quarantine

AV \ Infected: drop*

Content Rules: well, yeah - hand-rolled especially for Outgoing policy table

DLP: wossat?

* pretty sure I should have put tripwire notifications in these places


This Discussion