Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

How to find spam details


I'm looking for information about spam in the Ironport. Specifically I'm interested in why the email was considered as spam.

I'm looking for information like...

Title, From, Date, Reason


Something, Tom Hanks, 04.11.2012, Virus deteced

Something1, Jane Dean, 4/11/2012, Spam (reputation servers)

Something2, Mike Brown, 11/04/2012, Stopped by policy

Cisco Employee

How to find spam details


An email is deemed as spam by IronPort ESA based on a number of parameters depending on the scanning policy configuration.

I believe you are looking for the explanation behind the verdict for:

1. Virus detected, the email may not necessary spam but the body or attachment contains virus.

2. Spam (reputation servers),  the mail may not be spam, the mail was rejected by ESA due to the sender's SBRS score.

3. Stopped by policy, (again) the mail may not be spam but the policy configured in the ESA stopped or dropped the mail using filter.

You can confirm if an email is a spam by looking at its mail log or look at the details in the message tracking.

The line in the mail log and message filter looks like this:

"MID xxxxx interim verdict using engine: CASE spam positive"

I hope this helps.



New Member

How to find spam details


As Donny pointed out, you can get most of the information you want from the mail logs. Whether the message was rejected due to reputation filtering, stopped by a specific policy setting, dropped as a virus, or anything else, all the details will be in the mail logs.

But there is one thing you won't get that way. If IronPort Anti-Spam (known in the logs as CASE, the Context Adaptive Scanning Engine), considers a message to be spam, then you won't be able to find out what rules triggered this verdict. This information is not disclosed, to prevent spammers from using it to learn how to adapt their messages. The fact that CASE decided that the message was spam is noted in the logs, just not what particular rules led to this decision.