Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Distribution Lists and Quarantine: Best Practices

Our users have gotten comfrotable with their personal quarantines, but for those users managing internal Distribution lists, logging into the quarantine for teh DL is an issue.  We are considering crating a new Policy for DL's.

Our current policy for users is

Positive SPAM – Drop

Suspect Spam – Quarantine

Viruses – Drop

Marketing – Quarantine and mark invisibly (tag in the headers)

For this new policy for distribution Lists, we would:

Positive SPAM – Drop

Suspect SPAM – Mark visibly (in the Subject)

Viruses – Drop

Marketing – Mark Invisibly (in the headers)

Is this a reasonable approach?  Are there other (better?) options?

Thanks

Steve Moss

Pomona College

Everyone's tags (5)
1 REPLY
New Member

Distribution Lists and Quarantine: Best Practices

No one has replied to this yet so I'll test the waters. That seems like a reasonable approach, where you have a slightly more open policy to avoid the quarantine. Exactly what you might want to do depends on your particular environment. Without knowing more what you propose seems reasonable.

Here's a couple of things to think about...

1) Make sure that all DLs really need to be hit from the outside. If you can make a DL internal-only, that solves the problem quickly.

2) Obviously in an educational environment there is going to be quite a bit of concern about missed messages but I have always found the false positive rate from IPAS to be very low. Perhaps some DLs deal with financial information and need extra care but you might find that some DLs can have a tighter set of rules applied.

3) Consider the effect of spam/phishing messages now getting sent to multiple people instead of one so there is a bit of increased risk with DLs.

4) Try to use other data about the messages to help with the decision. Make sure SBRS scores are being used as they go a long way towards an accurate Spam/Ham decision. If you have a place that is a large volume sender of known good emails then consider using a more open policy for them so that you can use a more restrictive policy as a default.

868
Views
0
Helpful
1
Replies