Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
9-5
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 9 Anti-Spam
Broadest Threat Prevention
CASE combines content analysis, email reputation, and web reputation to deliver the broadest set of
threat prevention factors.
threat prevention factors.
Cisco designed Cisco IronPort Anti-Spam from the ground up to detect the broadest range of email
threats. Cisco IronPort Anti-Spam addresses a full range of known threats including spam, phishing and
zombie attacks, as well as hard-to-detect low volume, short-lived email threats such as “419” scams. In
addition, Cisco IronPort Anti-Spam identifies new and evolving blended threats such as spam attacks
distributing malicious content through a download URL or an executable.
threats. Cisco IronPort Anti-Spam addresses a full range of known threats including spam, phishing and
zombie attacks, as well as hard-to-detect low volume, short-lived email threats such as “419” scams. In
addition, Cisco IronPort Anti-Spam identifies new and evolving blended threats such as spam attacks
distributing malicious content through a download URL or an executable.
To identify these threats, Cisco IronPort Anti-Spam uses the industry's most complete approach to threat
detection, examining the full context of a message-its content, methods of message construction, the
reputation of the sender, and the reputation of web sites advertised in the message and more. Only Cisco
IronPort Anti-Spam combines the power of email and web reputation data, leveraging the full power of
the world's largest email and web traffic monitoring network — SenderBase — to detect new attacks as
soon as they begin.
detection, examining the full context of a message-its content, methods of message construction, the
reputation of the sender, and the reputation of web sites advertised in the message and more. Only Cisco
IronPort Anti-Spam combines the power of email and web reputation data, leveraging the full power of
the world's largest email and web traffic monitoring network — SenderBase — to detect new attacks as
soon as they begin.
Note
If your Cisco IronPort appliance is set to receive mail from a local MX/MTA, you must identify upstream
hosts that may mask the sender’s IP address. See
hosts that may mask the sender’s IP address. See
for more information.
Lowest False Positive Rate
Cisco IronPort Anti-Spam and Cisco IronPort Outbreak Filters are powered by Cisco IronPort’s
patent-pending Context Adaptive Scanning Engine (CASE) ™. CASE provides breakthrough accuracy
and performance by analyzing over 100,000 message attributes across four dimensions:
patent-pending Context Adaptive Scanning Engine (CASE) ™. CASE provides breakthrough accuracy
and performance by analyzing over 100,000 message attributes across four dimensions:
Step 1
Email reputation — who is sending you this message?
Step 2
Message content — what content is included in this message?
Step 3
Message structure — how was this message constructed?
Step 4
Web reputation — where does the call to action take you?
Analyzing multi-dimensional relationships allows CASE to catch a broad range of threats while
maintaining exceptional accuracy. For example, a message that has content claiming to be from a
legitimate financial institution but that is sent from an IP address on a consumer broadband network or
that contains a URL hosted on a “zombie” PC will be viewed as suspicious. In contrast, a message
coming from a pharmaceutical company with a positive reputation will not be tagged as spam even if the
message contains words closely correlated with spam.
maintaining exceptional accuracy. For example, a message that has content claiming to be from a
legitimate financial institution but that is sent from an IP address on a consumer broadband network or
that contains a URL hosted on a “zombie” PC will be viewed as suspicious. In contrast, a message
coming from a pharmaceutical company with a positive reputation will not be tagged as spam even if the
message contains words closely correlated with spam.
Industry-Leading Performance
CASE combines the following features to deliver accurate verdicts quickly:
•
Multiple threats are scanned for in a single pass
•
Dynamic “early exit” system
System performance is optimized using Cisco IronPort's unique “early exit” system. Cisco IronPort
developed a proprietary algorithm to determine the order in which rules are applied based on rule
accuracy and computational expense. Lighter and more accurate rules are run first, and if a verdict
is reached, additional rules are not required. This improves system throughput, allowing our
developed a proprietary algorithm to determine the order in which rules are applied based on rule
accuracy and computational expense. Lighter and more accurate rules are run first, and if a verdict
is reached, additional rules are not required. This improves system throughput, allowing our