EUQ Spam notification is a useful feature for providing an interface to manage quarantined e-mail, without really worring about authenticating users to the EUQ app.
Now, the feature works fine for incoming spam. But what about outgoing spam i.e outgoing spam scanning is turned on? I wanted to include these into the notifications, too (as it's usually false positive e-mail). However, in this case Ironport really sends notifications to the recipient on the internet. This is not desirable as the recipient outside the company will receive an unexpected spam digest (with links to the internal EUQ interface), instead of the internal sender. What is the best way to handle outbound spam in terms of sender notification? The problem is I must somehow notify the internal sender that his e-mail was blocked as spam. I could send a custom NDR to the sender each time outgoing spam is detected. But if a spam bot starts pumping outgoing spam (as is usually the case for outgoing spam), wouldn't I end up generating lots of backscatter for this spam? Presumably, the MAIL FROM would be forged, so I would send all those notifications to inexistent users or worse to users which haven't sent the spam in the first place?
Any idea how to best handle outgoing spam feedback?
It would be simpler if Ironport sent EUQ spam notifications for both incoming and outgoing traffic only to addresses matching the RAT table - as these are the users for whom it makes sense sending such information.
Your assessment is correct, the AsyncOS could definitely do a better job on how it handles spam detected for outbound traffic from Internal sources out to the Internet.
One suggestion I would propose is that send you do have two different listeners: Incoming and Outgoing, that you make use of that flexibility.
In the "Outgoing mail policy" -> Anti-spam section, instead of immediately applying the ISQ(IronPort Spam Quarantine) action, you instead insert a custom header(e.g. X-Detect-Outgoing-Spam: True)
Then, create an outgoing content filter, that looks for that custom header. If the outgoing content filter sees that custom header, then you would have several options.
1. You can force send it to a System quarantine(e.g. Policy quarantine [note, this is currently only accessibly by the System Admin]). 2. Implement a "notify()" action to let the internal sender know the message was detected to be spam and that they need to do something about it.
There may be other options, but I would need to know what your company's policy on how it should handle situations like this to provide a clearer answer.
So, until the AsyncOS can do what you were looking for, you may want to see if this workaround/solution can get you want you want.
thanks for your reply. Sending back notifications to internal spam senders is a solution, but I think it has the potential to create undesired effects once a spam bot starts sending spam, the result being: backscatter notifications to forged MAIL FROM recipients. Correct me if I'm wrong.
As I said earlier: it would be simpler if Ironport sent EUQ spam notifications for both incoming and outgoing traffic only to addresses matching the RAT table - as these are the users for whom it makes sense sending such information. I could then have both outgoing and incoming spam in the spam digest notification, which is really what is needed.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...