Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Spam Threshold Levels

What do you guys have your levels set to? Ours are currently 75/35 (drop/quarantine for the actions), but we've just had to lower it again to 75/30 due to slightly increasing levels of spam getting through. This is getting rather close to the lower limit of 25, so I'm beginning to wonder what happens if we end up at 25 and we still get things through!

We submit everything that comes through to the spam@access... address, but is there anything further we can do? The next thing I can think of is looking at headers and seeing if there's anything there (such as encodings..)

4 REPLIES
New Member

Re: Spam Threshold Levels

Do you apply the CASE engine to all Sender Groups or just the senders with a lower score?

We are seeing an increase, but upon investigation the magority are coming from Senders with a higher reputation and hence do not have the CASE engine applied against them.

New Member

Re: Spam Threshold Levels

Good question! Just checked, but we're applying it to all the groups except one and from the header stamping we do, the junk isn't coming in as that group, thankfully.

Thinking further, I guess putting the junk through a trace would be a good idea too, as we could then see what the IP boxes think of it then..

New Member

Re: Spam Threshold Levels

I think it's better to use several CASE policie's ( at least 2) with different scores and put spam recipients/sender into more strict policy (less scores). Have anyone an another ideas ?

New Member

Re: Spam Threshold Levels

If you are going to use different CASE Policies (with Different Scores) then you have to have multiple Mail Policies each with a different Anti-Spam Setting, and the complex way you would have to put the senders into the different policies (Email Address or LDAP group), is going to put an overhead on the appliances and be a pain to manage.

The best way we have found is to drop the messages from the senders with a low SBRS (Around the -2.5 mark is good). For us that drops about +80% of the message at the Gateway (and saves a hugh amount of overhead on the appliances).

At the other end of the scale we don't apply the CASE engine to the senders with a very good score.

This works very well for us and the 30 Million messages we process in a month. The false positive rate for the messages we drop is about 0.00002%.

407
Views
0
Helpful
4
Replies