Cisco Cisco Email Security Appliance X1070 Guía Para Resolver Problemas
Do a quick check through the message filters to make sure there are not any filters
that "skip−spamcheck". If there are, make sure they are doing what they should
(keeping in mind that matching a single rcpt−to can match on messages with 30+
recipients).
that "skip−spamcheck". If there are, make sure they are doing what they should
(keeping in mind that matching a single rcpt−to can match on messages with 30+
recipients).
◊
Find a recent SPAM example (time, date, rcpt, etc.), and reference the mail_logs to
see what happened. Confirm that Anti−Spam returned a negative verdict.
see what happened. Confirm that Anti−Spam returned a negative verdict.
◊
Make sure you are taking the desired actions on spam positive messages. Check the Inbound Mail
Policies for how Anti−Spam verdicts are handled. Make sure SPAM positive and suspect messages
are dropped or quarantined in the default policy, and that all other policies either use the default
behavior or deliberately override the default.
Policies for how Anti−Spam verdicts are handled. Make sure SPAM positive and suspect messages
are dropped or quarantined in the default policy, and that all other policies either use the default
behavior or deliberately override the default.
4.
Apply more aggressive spam thresholds if false−positives are less of a concern than missed spam:
Reduce the Positive Spam Threshold to 80 (default is 90) if false−positives are not a concern
at the 'certain' threshold.
at the 'certain' threshold.
a.
Reduce Suspected Spam Threshold to 40 (default is 50) if false−positives are not a concern at
the 'suspect' threshold.
the 'suspect' threshold.
b.
If most of your spam complaints are coming from a subset of recipients, you can create a
separate mail policy for these users with lower spam thresholds in order to filter more
aggressively for just these recipients.
separate mail policy for these users with lower spam thresholds in order to filter more
aggressively for just these recipients.
Changes to these values should not be taken lightly, nor should they be enacted
without any hard data to ascertain what the repurcussive effects will be.
without any hard data to ascertain what the repurcussive effects will be.
◊
Also, do not necessarily adjust values in the other direction only to avoid False
Positives.
Positives.
◊
Please make sure that False Positives and False Negatives are submitted to TAC.
◊
c.
5.
Optimize your SBRS settings and HAT Policies:
Most organizations are comfortable adding SBRS −10 to −3.0 to their Blacklist and SBRS
−3.0 to 1.0 to their SUSPECTLIST. More aggressive customers can blacklist SBRS −10 to
−2.0 and add −2.0 to −0.6 to the SUSPECTLIST.
−3.0 to 1.0 to their SUSPECTLIST. More aggressive customers can blacklist SBRS −10 to
−2.0 and add −2.0 to −0.6 to the SUSPECTLIST.
a.
In some cases, the fact that a sender does not yet have a SenderBase Reputation Score is
evidence that this sender may be a spammer. You can add SBRS "none" directly to a sender
group that gets the "Throttled" policy, for example to your SUSPECT sender group.
evidence that this sender may be a spammer. You can add SBRS "none" directly to a sender
group that gets the "Throttled" policy, for example to your SUSPECT sender group.
b.
Change the max number of recipients per hour to 5 for the "Throttled" policy.
c.
Consider creating more than one "Throttled" policy to enforce different recipient per hour
limits − for example rate limiting senders with an SBRS between −2 and −1 to 5 recipients
per hour and senders with an SBRS between −1 and 0 to 20 recipients per hour.
limits − for example rate limiting senders with an SBRS between −2 and −1 to 5 recipients
per hour and senders with an SBRS between −1 and 0 to 20 recipients per hour.
d.
6.
Enable Sender Verification for the "Throttled" Mailflow policy:
7.