ESA Deployment

Federico Coto Fajardo · ‎09-12-2013

Hi Community,

I have a client with an ESA as the first mail server coming from the Internet and last one on the path out.

This client is a University and the default ESA settings are not stopping much of the spam received.

What I would like to ask is any recommendations or reference to deploying the ESA in a University where the recipients are just too many and too dynamic to maintain in a list (LDAP), and any guidance or best practices.

Thank you very much,

Federico.

Stephan Bayer · ‎09-16-2013

Hi Federico,

Anti-Spam Best Practices

Adapted From https://ironport.custhelp.com/app/answers/detail/a_id/493

Verify that inbound messages are being scanned by the antispam engine. Do a message track on a recent message and check that it was scanned.

- Go to MONITOR > MESSAGE TRACKING
- Search for the email in question
- Click the 'Show Details' link next to the email in question
Look for the Antispam engine (CASE) verdict. Example:
Thu Sep 12 13:21:09 2013 Info: MID 2359 interim verdict using engine: CASE spam negative
Thu Sep 12 13:21:09 2013 Debug: MID 2359 using engine: CASE definitely negative
Thu Sep 12 13:21:09 2013 Info: MID 2359 using engine: CASE spam negative

2. Verify that you are receiving anti-spam rule updates

Check to confirm that the most recent time stamps for updates under Security Services > Anti-Spam are from within the last 2 hours

3. Make sure you are taking the desired actions on spam positive messages

Check the Inbound Mail Policies for how IronPort Anti-Spam verdicts are handled. Make sure SPAM positive and suspect messages are dropped or quarantined in the default policy, and that all other policies either use the default behavior or deliberately override the default.

4. Enable LDAP accept and Directory Harvest Attack Protection:

Many spammers send emails to a high number of invalid addresses, so blocking senders who send to invalid recipients can also decrease spam.
If LDAP accept is already on, make sure Directory Harvest Protection (DHAP) is also configured for each inbound listener with maximum invalid attempts between 5 and 10 per IP.
Review the following article on LDAP Accept

How to use LDAP Accept Query to validate the recipients of inbound messages using Microsoft Active Directory (LDAP)?
Knowledge Base Answer ID: 156
http://tools.cisco.com/squish/4680c

5. Report mis-classified messages to IronPort.

Please refer to "How do I report IronPort Anti-Spam false positives or missed spam?", which details how to submit messages and verify that submissions to these addresses are in the correct format (i.e. MIME attachments of complete un-mangled messages with full headers). See "How do I create RFC-822 MIME encoded attachments? " for more details

6. Review the Daily Management Guides, AsyncOS Configuration Guide and AsyncOS Advanced Guide for additional info

http://www.cisco.com/en/US/docs/security/esa/esa7.5/ESA_7.5_Daily_Management_Guide.pdf

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_Configuration_Guide.pdf

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_AdvancedGuide.pdf

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_CLI_Reference_Guide.pdf

Hope this helps.

Regards,

Stephan

Luis Silva Benavides · ‎09-16-2013

Federico,

You can also reach the PDI team for this kind of questions. PDI was developed to assist Cisco Partners on the Planning, Designing and Implementing phase.

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva