Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Finally using SPAM quarantine and want to know how many e-mails are being released

We have two C660s and one M660 and we are finally using the SPAM quarantine functionality on the M660 and so far it has been awesome.   For my pilot group I have the spam thresholds set as low as recommended by the GUI at 50 (positive) and 25 (suspected)...   First off, if I change these numbers will I see noticiable differences in what is allowed through and what isn't?

My real question is, is there an easy way to see what mail is being released by users from the SPAM quarantine?  Originally I had a content filter setup that was working..   but now it appears that when users are releasing e-mails from the quarantine it is skipping any type of content filtering..  From what I can tell, e-mails are still being routed from the M660 to one of the two C660s for delivery..  but in the mail logs I see information like:

Wed Aug 15 09:34:32 2012 Info: ISQ: Delivering MID 1592784 to ISQ (skipping work queue)

And in Message Tracking I see:

15 Aug 2012 09:32:23 (GMT -05:00)Message 116381462 was released from Spam Quarantine, IP address 10.25.211.100.
15 Aug 2012 09:32:23 (GMT -05:00)Message 116381462 released from Spam Quarantine. Work queue skipped.
15 Aug 2012 09:32:23 (GMT -05:00)Message 116381462 queued for delivery.
15 Aug 2012 09:32:23 (GMT -05:00)(DCID 40556495) Delivery started for message 116381462 to

My outgoing content filter is setup like:

Conditions

OrderConditionRuleDelete
1Remote IP/Hostnameremote-ip == XXXXXXXXDelete...
2Envelope Sendermail-from !=XXXXXXXXXXDelete...
Actions

OrderActionRuleDelete
1Add Log Entrylog-entry("ReleasedFromSpamQuarantine")Delete...

XXXXXXX = the IP address of our M660..  

XXXXXXXX = the e-mail address used by our M660 to send out reports/alerts etc..

Appreciate any input/feedback...

Jason

2 REPLIES
New Member

Finally using SPAM quarantine and want to know how many e-mails

sorry I can't help you but we have a similar setup and I also wonder from time to time what they are releasing and how much, so once you get yours working again I would be happy to steal your idea, LOL

Finally using SPAM quarantine and want to know how many e-mails

Hello Jason,

one thing about the trhesholds, the defaults are 50/90 for suspected and positive spam, and that usually works for most customers, in some cases if still spam gets trough we suggest to modify that to 40/80, but you should not get any lower, as this will just increase the number of false positives. In general, the antispam engine delivers a value way above or below the thresholds, means scores are always either below 10 (no spam) or above 90 (spam), very few are inbetween this range, so usually the default setting works.

About the information of which user released a message, there is unfortunately no direct way to get this done. You might try this approach:

1. mail_logs: Look for the MID of the message when its getting injected to the SMA, note that this is not the same MID as in message tracking.

2. mail_logs: Look for the message getting released, and note the time stamp:

6 Aug 2012 13:29:21 (GMT) Start Message 10054459 ICID 0 release from Spam Quarantine

3. Do a

CLI: grep timestamp euqgui_logs

with the timestamp you retreived  from the mail logs (just use the Day, hour, and minute part), this should get you the log lines for the particular minute, check them for the name of the user who was accessing the GUI at that time.

Hope that helps,

Andreas

557
Views
0
Helpful
2
Replies
CreatePlease login to create content