Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Reputation Filtering

our appliance used to be able to stop over 80% spam by reputation alone, it has now gone down to around 60% over the year. 

not sure if it was caused by one of the updates or the spammers have just gotten better at bypassing spam sensors......anyone else experiencing this? is there an average percent it should be catching?

i have contacted support about this and basically their response was to just to keep reporting missed spam using the outlook plug-in indecision

3 REPLIES
Cisco Employee

What have you seen?  Is it a

What have you seen?  Is it a consistent sender/IP with a normal Subject?  What does message tracking show you for examples that you can provide?

Are you using the default scoring on your IPAS settings - or have you customize the rules/scoring to try to assist?

-Robert

Community Member

seem to be from different ips

seem to be from different ips, some are normal looking subject lines are some are spam looking..but it can vary from day to day..

example:

SUBJECT:Лучший новостной сайт Новокузнецка

BODY:Детская площадка Crazy Club — самый большой в Новокузнецке детский парк развлечений. Новейшие аттракционы и развлечения.............................

 

our scoring settings are set to default, we have made  a change to "Max. Concurrent Connections From a Single IP" and it seems to be helping a little bit. 

 

 

Cisco Employee

If you are seeing an up-tick

If you are seeing an up-tick in the spam - be sure to submit examples, so that we can work to improve the rules sets associated with the sender/subject.  Every submission helps!  

Full info on reporting:

ESA FAQ: How do you report Content Security Anti-Spam false positives or missed spam?

If you are interested in blocking, or at least decreasing similar to the example you provide, we do have a knowledge base article that may aide you.  This was written specific for Russian senders - but, can be applied globally to match the language of origins.  See below:

There are 2 options:

  1. Write a filter.
  2. Refer to a dictionary text file in a message filter.


1. You can write either a content filter or a message filter to catch these charsets if your business does not interact with Russian / Cyrillic / Ukranian senders.

Here is an outline for a filter.

quarantine_russian_spam:

if (recv-listener == "InboundMail") AND ((body-contains("windows-1251")) OR (header("Content-type") == "(?i)windows-1251")) {
    quarantine ("Policy");
}

You may want to place this in the content filters since content filters occur after the anti-spam scanning.  Placing this filter in the message filters may be resource-expensive in order to scan the body of the email for the charsets.

2. Another option is to add the list of character sets to a dictionary text file and refer to that in your message filter.  


Below are some of the charsets that you can use depending on what language the spam is.

=========================================================


References

http://msdn.microsoft.com/en-us/library/aa752010.aspx

http://en.wikipedia.org/wiki/ISO_8859-1

28591 iso-8859-1 Western European (ISO)
28592 iso-8859-2 Central European (ISO)
28593 iso-8859-3 Latin 3 (ISO)
28594 iso-8859-4 Baltic (ISO)
28595 iso-8859-5 Cyrillic
(ISO) (i.e.Eastern European (Cyrillic-based: Bulgarian, Byelorussian, Macedonian, Russian, Serbian, Ukrainian) )

28596 iso-8859-6 Arabic (ISO)
28597 iso-8859-7 Greek (ISO)
28598 iso-8859-8 Hebrew (ISO-Visual)
28599 iso-8859-9 Turkish (ISO)
28603 iso-8859-13 Estonian (ISO)
28605 iso-8859-15 Latin 9 (ISO)



ISO 8859-1

Western European (Albanian, Basque, Breton, Catalan, Danish, Dutch, English, Faeroese, Finnish, French, German, Greenlandic, Icelandic, Irish Gaelic, Italian, Latin, Luxemburgish, Norwegian, Portuguese, Rhaeto-Romanic, Scottish Gaelic, Spanish, Swedish)

ISO 8859-2

Eastern European (Albanian, Croatian, Czech, English, German, Hungarian, Latin, Polish, Romanian, Slovak, Slovenian, Serbian)

ISO 8859-3

Southeastern European (Afrikaans, Catalan, Dutch, English, Esperanto, German, Italian, Maltese, Spanish, Turkish)

ISO 8859-4

Northern European (Danish, English, Estonian, Finnish, German, Greenlandic, Latin, Latvian, Lithuanian, Norwegian, S�?¡mi, Slovenian,
Swedish)

ISO 8859-5

Eastern European (Cyrillic-based: Bulgarian, Byelorussian, Macedonian, Russian, Serbian, Ukrainian)

ISO 8859-6

Arabic

ISO 8859-7

Greek

ISO 8859-8

Hebrew

ISO 8859-9

Western European (Albanian, Basque, Breton, Catalan, Cornish, Danish, Dutch, English, Finnish, French, Frisian, Galician, German, Greenlandic, Irish Gaelic, Italian, Latin, Luxemburgish, Norwegian, Portuguese, Rhaeto-Romanic, Scottish Gaelic, Spanish, Swedish,
Turkish)

ISO 8859-10

Northern European (Danish, English, Estonian, Faeroese, Finnish, German, Greenlandic, Icelandic, Irish Gaelic, Latin, Lithuanian, Norwegian, S�?¡mi, Slovenian, Swedish)

ISO 8859-15

Western European (Albanian, Basque, Breton, Catalan, Danish, Dutch, English, Estonian, Faroese, Finnish, French, Frisian, Galician, German, Greenlandic, Icelandic, Irish Gaelic, Italian, Latin, Luxemburgish, Norwegian, Portuguese, Rhaeto-Romanic, Scottish Gaelic, Spanish,
Swedish)

------------------------------------

United States,UK
Western European (ISO)

iso-8859-1

http://en.wikipedia.org/wiki/ISO_8859-1
-----------------------------------

For Arabic (most common: iso-8859-6)

ASMO-708
DOS-720
iso-8859-6
csISOLatinArabic
ECMA-114
ISO_8859-6
ISO_8859-6:1987
iso-ir-127
x-mac-arabic
windows-1256
cp1256

-----------------------------------

Baltic:

ibm775
CP500
iso-8859-4
windows-1257

-----------------------------------

Central European (Crotia, Czech, Hungary) (most common: iso-8859-2)

ibm852
iso-8859-2
csISOLatin2
iso_8859-2
so_8859-2:1987
iso8859-2
iso-ir-101
x-mac-ce
latin2_croatian_ci
latin2_czech_cs
latin2_general_ci
latin2_hungarian_ci
latin2_bin
x-cp1250

-----------------------------------

Chinese (most common: all)

EUC-CN
x-euc-cn
gb2312
CN-GB
csGB2312
csGB231280
csISO58GB231280
GB_2312-80
GB231280
GB2312-80
hz-gb-2312
x-mac-chinesesimp
iso-ir-58
cn-big5
x-Chinese

-----------------------------------

Russian, Ukranian, Cyrillic ( most common: windows-1251)
(i.e. Eastern European (Cyrillic-based: Bulgarian, Byelorussian, Macedonian, Russian, Serbian, Ukrainian)

cp866
iso-8859-5
koi8-r
koi8-u
x-mac-cyrillic
windows-1251
windows-1257

-----------------------------------

German

x-IA5-German

Sample German

Ich wei�?�? es nicht
Da w�?¤hrend des ganzen Mittelalters im Unterschied zu den Nachbarl�?¤ndern in dem Land der Teutschen stark territorial zersplitterte politische Strukturen existierten, entwickelten sich die zum Teil extrem unterschiedlichen deutschen Dialekte (deutsche Mundarten) lange parallel nebeneinander her.
r�?¤chen

------------------------------------

Greek (most common: windows-1253)

ibm869
ibm737
iso-8859-7
x-mac-greek
windows-1253

-----------------------------------

Hebrew (most common: windows-1255)

iso-8859-8
x-mac-hebrew
windows-1255

-----------------------------------

Japanese (most common: iso-2022-jp, shift_jis)

shift_jis
x-mac-japanese
csISO2022JP
euc-jp
x-euc
x-euc-jp
iso-2022-jp

-----------------------------------

Korean (most common: iso-2022-kr, euc-kr)

ks_c_5601-1987
csKSC56011987
euc-kr
so-ir-149
ks_c_5601
ks_c_5601_1987
ks_c_5601-1989
KSC_5601
KSC5601
csEUCKR
iso-2022-kr
csISO2022KR
x-mac-korean

89
Views
0
Helpful
3
Replies
CreatePlease to create content