Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Block or Quarantine e-mail from Social Networks

Is there some option how can I block all e-mail messages from all knows Social Networks (facebook, google+, infoaxe, myspace...)

Or at least all auto sended e-mail like

Is xyz@xyz.xx you friend...


xyz@xyz.xx has indicated you're a frined. Accept?

and so on




I lower spam filter on Suspected Spam score 40 and it doesent catch them.

How to block this kind of SPAM messages?

Also how to block low volume SPAM messages from gmail that are selling things and self promotions?

Cisco Employee

Block or Quarantine e-mail from Social Networks

Hello Juraj,

Have you tried to enable marketing mail?

Marketing Email is a mode of promoting products and services via Email. Even though marketing messages are not considered spam, your organization or end-users may not want to receive them. Marketing messages are messages that are NOT Spam, do NOT contain Email transactions and does NOT reflect communication between parties. Example of a Marketing message is an Airline promoting their products and services via an Email but an Airline confirmation email to a user is not a marketing message.

What is Marketing Detection and How it works?

In AsyncOS 7.0.x for Email and above Cisco IronPort has introduced a new feature Unwanted Marketing Message Detection. When enabled along with IronPort Anti-Spam or IronPort Intelligent Multi-Scan this feature can distinguish between Spam and Unwanted Marketing Messages. Like spam, you have the option to deliver, drop or bounce unwanted marketing messages. You also have the option to tag unwanted marketing messages by adding text to the message’s subject to identify it as marketing.

The Unwanted Marketing Message Detection feature in AsyncOS for Email can be configured via Per Recipient Policies for Anti-Spam. The Marketing Detection feature like Anti-Spam configuration allows you to drop, deliver or bounce after a message is detected as Marketing Email. For better detection and low False Positive rate it is highly recommended to use the "Tag and Deliver" action after a message is detected as Marketing Email by IronPort Anti-Spam or IronPort Intelligent Multi-Scan.

Cisco IronPort highly recommends customers to take advantage of this new Marketing Detection feature to detect Unwanted Marketing Email and enhance the end user Email experience.

How do you enable it?

    Go to Mail Policies -> Incoming Mail Policies

    Select the link under Anti-Spam for your Default mail policy

    Under 'Marketing Email Settings' select 'Yes' for 'Enable Marketing Email Scanning'

    Select the desired action under 'Apply This Action to Message'

    Submit your changes

    Repeat steps 2 to 5 for any other applicable mail policies.

    Commit your changes.

Community Member

Block or Quarantine e-mail from Social Networks


Yes, I have already configure spam, marketing, suspious options per recipient policy (this is only active on few e-mail addresses). With this all auto mail from facebook, google+... are still passing by. 

Policy: Use IronPort Anti-Spam service

Positively-Identified Spam Settings -> SPAM Quarantine

Suspected Spam Settings -> SPAM Quarantine

Marketing Email Settings -> SPAM Quarantine

Spam Thresholds -> Positevly Identified Spam Score: 80, Suspected Spam Score: 40

Community Member

Block or Quarantine e-mail from Social Networks

Here's what we do:

From the CLI, type filters

Type new

Then add the following:

no_facebook_mail: if (recv-listener == "IncomingMail") AND (mail-from == "")





Then commit.

Create a filter for each service.

Community Member

Block or Quarantine e-mail from Social Networks

No need for Message Filter.

I already created Per policy content filters beacuse this rules are not for all users, only for few public e-mail addresses.

I was just thinking that how Gmail created in his e-mail three tabs, one is general, second is Social Networks and third are promotional. If Google know how to recongize them it would be interesting feature in e-mail appliance.

So I was thinking that it would be nice to have a rule where you can chose if email comes from Social Network than do whatever you want to do.

This is current domains that I put on block list.

I'll change this rule so i'll use Dictionary where I'll populate  domains and e-mail senders (beacuse I populate this list every few  days).

1  Envelope Sender  mail-from == "" 

2  Envelope Sender  mail-from == "" 

3  Envelope Sender  mail-from == "" 

4  Envelope Sender  mail-from == "" 

5  Envelope Sender  mail-from == "" 

6  Envelope Sender  mail-from == "" 

7  Envelope Sender  mail-from == "" 

8  Envelope Sender  mail-from == "" 

9  Envelope Sender  mail-from == "" 

10  Envelope Sender  mail-from == "" 

11  Envelope Sender  mail-from == "" 

12  Envelope Sender  mail-from == "" 

13  Envelope Sender  mail-from == "" 

14  Envelope Sender  mail-from == "" 

15  Envelope Sender  mail-from == "" 

16  Envelope Sender  mail-from == "" 

17  Envelope Sender  mail-from == "" 

18  Envelope Sender  mail-from == "" 

19  Envelope Sender  mail-from == ""

20  Envelope Sender  mail-from == "" 

21  Envelope Sender  mail-from == "" 

One example of what I'm talking about.

Cisco Employee

Block or Quarantine e-mail from Social Networks

Thanks Doug and Juraj for your feedback.

I think Google calls the group of legitimate mail categories "Bacon".

I agree, it would be interesting to add another Social Marketing category to the ESA that addresses these types of messages.



CreatePlease to create content