Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ESA Deployment

Hi Community,

I have a client with an ESA as the first mail server coming from the Internet and last one on the path out.

This client is a University and the default ESA settings are not stopping much of the spam received.

What I would like to ask is any recommendations or reference to deploying the ESA in a University where the recipients are just too many and too dynamic to maintain in a list (LDAP), and any guidance or best practices.

Thank you very much,


Cisco Employee

ESA Deployment

Hi Federico,

Anti-Spam Best Practices

Adapted From

  1. Verify that inbound messages are being scanned by the antispam engine. Do a message track on a recent message and check that it was scanned.


- Search for the email in question

- Click the 'Show Details' link next to the email in question

Look for the Antispam engine (CASE) verdict. Example:

Thu Sep 12 13:21:09 2013 Info: MID 2359 interim verdict using engine: CASE spam negative
Thu Sep 12 13:21:09 2013 Debug: MID 2359 using engine: CASE definitely negative
Thu Sep 12 13:21:09 2013 Info: MID 2359 using engine: CASE spam negative

2. Verify that you are receiving anti-spam rule updates

  • Check to confirm that the most recent time stamps for updates under Security Services > Anti-Spam are from within the last 2 hours
3.      Make sure you are taking the desired actions on spam positive messages
  • Check the Inbound Mail Policies for how IronPort Anti-Spam verdicts are handled. Make sure SPAM positive and suspect messages are dropped or quarantined in the default policy, and that all other policies either use the default behavior or deliberately override the default.
4. Enable LDAP accept and Directory Harvest Attack Protection:
  1. Many spammers send emails to a high number of invalid addresses, so blocking senders who send to invalid recipients can also decrease spam.
  2. If LDAP accept is already on, make sure Directory Harvest Protection (DHAP) is also configured for each inbound listener with maximum invalid attempts between 5 and 10 per IP.
  3. Review the following article on LDAP Accept
How to use LDAP Accept Query to validate the recipients of inbound messages using Microsoft Active Directory (LDAP)?
Knowledge Base Answer ID: 156

5. Report mis-classified messages to IronPort.
6. Review the Daily Management Guides, AsyncOS Configuration Guide and AsyncOS Advanced Guide for additional info

Hope this helps.



Cisco Employee

ESA Deployment


You can also reach the PDI team for this kind of questions. PDI was developed to assist Cisco Partners on the Planning, Designing and Implementing phase.

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
CreatePlease login to create content