Scanning outbound e-mails for SPAM

Jason Meyer · ‎12-05-2013

So I have started to scan outgoing e-mails for SPAM and am intermittantly getting e-mails stopped that are not SPAM. I've slowly increased the thresholds and am currently sitting at 100 for positive spam and 89 for suspected spam and still e-mails are getting stopped.

I don't really want to turn outgoing SPAM filtering off completely but also don't want to have to manually release these miss identified e-mails every morning.

Any suggestions?

I run two C670s and move about 100k e-mails in and 100k e-mails out of our environment.

Nasir Abbas · ‎12-08-2013

Hi Jason,

There can be number of factors and AntiSpam team can provide the further information regarding what is making those message false positives. I will suggest to open a case with TAC and send couple of samples messages to ham@access.ironport.com.

You can also select the auto send a copy to AntiSpam portal by changing the configuration in GUI -> Quarantine -> Click edit settings.

We will escalate the case to AntiSpam team.

Hope that information helps.

Thanks

Nasir

exMSW4319 · ‎01-07-2014

Jason, I would be interested to hear if there is any malice involved. Do you have internal recipients trying to actually spam, or are they simply forwarding mails (possibly released from quarantine) to their home addresses or close friends? The fact that you are releasing them would rather suggest the latter.

If so, remember that you can make responses to your internal community that you can't to the external community. Automated responses that we would consider backscatter could be quite helpful to your internal recipients. At the very least, if Cisco can't adjust CASE to your liking then you might be able to brush the problem under the carpet with an automated "this e-mail breaks {organisation} policy - please re-draft".

I have a similar problem in the opposite direction with spam forwarded in from home addresses, but the mails simply sit in a quarantine until they are flushed. The recipients don't come looking for them, and I currently have a zero percent complaint rate on that score.

Jason Meyer · ‎01-28-2014

NO malice is involved. They are simple e-mails, often times with links to URLs that are legitimate.

Sometimes they are forwards of [Suspected SPAM] that is allowed into their mailbox to an external recipient, this I can understand getting blocked, but a manually created e-mail with a few links to legitimate web sites I don't understand.

If the information isn't sensitive I will begin reporting them to the HAM address, often times it is sensitive.

Was just looking for what others were seeing and if outgoing spam scanning is on by default?

exMSW4319 · ‎02-08-2014

Speaking for myself:

CASE: off

Outbreak: off

AV \ Repair: deliver*

AV \ Encrypted or Unscannable: quarantine

AV \ Infected: drop*

Content Rules: well, yeah - hand-rolled especially for Outgoing policy table

DLP: wossat?

* pretty sure I should have put tripwire notifications in these places