Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
9-16
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 9 Anti-Spam
Positively Identified versus Suspected Spam
Because Cisco IronPort Anti-Spam and Cisco IronPort Intelligent Multi-Scan make the distinction
between positively identified and suspected spam (
between positively identified and suspected spam (
many users configure their systems in one of the following ways:
The first configuration method tags only suspected spam messages, while dropping those messages that
are positively identified. Administrators and end-users can check the subject line of incoming message
for false positives, and an administrator can adjust, if necessary, the suspected spam threshold.
are positively identified. Administrators and end-users can check the subject line of incoming message
for false positives, and an administrator can adjust, if necessary, the suspected spam threshold.
In the second configuration method, positively identified and suspected spam is delivered with an altered
subject. Users can delete suspected and positively identified spam. This method is more conservative
than the first.
subject. Users can delete suspected and positively identified spam. This method is more conservative
than the first.
See
for a further discussion of mixing aggressive and conservative policies on a
per-recipient basis using the Email Security Manager feature.
Unwanted Marketing Message Detection
Cisco IronPort Anti-Spam and Cisco IronPort Intelligent Multi-Scan can distinguish between spam and
unwanted marketing messages from a legitimate source. Even though marketing messages are not
considered spam, your organization or end-users may not want to receive them. Like spam, you have the
option to deliver, drop, quarantine, or bounce unwanted marketing message. You also have the option to
tag unwanted marketing messages by adding text to the message’s subject to identify it as marketing.
unwanted marketing messages from a legitimate source. Even though marketing messages are not
considered spam, your organization or end-users may not want to receive them. Like spam, you have the
option to deliver, drop, quarantine, or bounce unwanted marketing message. You also have the option to
tag unwanted marketing messages by adding text to the message’s subject to identify it as marketing.
Headers Added by Cisco IronPort Anti-Spam and Intelligent Multi-Scan
If Cisco IronPort Anti-Spam scanning or Intelligent Multi-Scan is enabled for a mail policy, each
message that passes through that policy will have the following header added to the message:
message that passes through that policy will have the following header added to the message:
A second header will also be inserted for each message filtered by Cisco IronPort Anti-Spam or
Intelligent Multi-Scan. This header contains information that allows Cisco IronPort Support to identify
the CASE rules and engine version used to scan the message:
Intelligent Multi-Scan. This header contains information that allows Cisco IronPort Support to identify
the CASE rules and engine version used to scan the message:
Cisco IronPort Intelligent Multi-Scan also adds headers from the third-party anti-spam scanning
engines.
engines.
Table 9-1
Common Example Configurations of Positively Identified and Suspected Spam
Spam
Method 1 Actions
(Aggressive)
(Aggressive)
Method 2 Actions
(Conservative)
(Conservative)
Positively
Identified
Identified
Drop
Deliver with “
[Positive Spam]
” added to
the subject of messages
Suspected
Deliver with “
[Suspected Spam]
”
added to the subject of messages
Deliver with “
[Suspected Spam]
” added to
the subject of messages
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam: result