Cisco Cisco Email Security Appliance C160 Mode D'Emploi
13-4
Cisco AsyncOS 8.5.6 for Email User Guide
Chapter 13 Anti-Spam
IronPort Anti-Spam Filtering
Cisco Anti-Spam: an Overview
IronPort Anti-Spam addresses a full range of known threats including spam, phishing and zombie
attacks, as well as hard-to-detect low volume, short-lived email threats such as “419” scams. In addition,
IronPort Anti-Spam identifies new and evolving blended threats such as spam attacks distributing
malicious content through a download URL or an executable.
attacks, as well as hard-to-detect low volume, short-lived email threats such as “419” scams. In addition,
IronPort Anti-Spam identifies new and evolving blended threats such as spam attacks distributing
malicious content through a download URL or an executable.
To identify these threats, IronPort Anti-Spam examines the full context of a message-its content,
methods of message construction, the reputation of the sender, the reputation of web sites advertised in
the message, and more. IronPort Anti-Spam combines the power of email and web reputation data,
leveraging the full power of the world's largest email and web traffic monitoring network — SenderBase
— to detect new attacks as soon as they begin.
methods of message construction, the reputation of the sender, the reputation of web sites advertised in
the message, and more. IronPort Anti-Spam combines the power of email and web reputation data,
leveraging the full power of the world's largest email and web traffic monitoring network — SenderBase
— to detect new attacks as soon as they begin.
IronPort Anti-Spam analyzes over 100,000 message attributes across the following dimensions:
•
Email reputation — who is sending you this message?
•
Message content — what content is included in this message?
•
Message structure — how was this message constructed?
•
Web reputation — where does the call to action take you?
Analyzing multi-dimensional relationships allows the system to catch a broad range of threats while
maintaining accuracy. For example, a message that has content claiming to be from a legitimate financial
institution but that is sent from an IP address on a consumer broadband network or that contains a URL
hosted on a “zombie” PC will be viewed as suspicious. In contrast, a message coming from a
pharmaceutical company with a positive reputation will not be tagged as spam even if the message
contains words closely correlated with spam.
maintaining accuracy. For example, a message that has content claiming to be from a legitimate financial
institution but that is sent from an IP address on a consumer broadband network or that contains a URL
hosted on a “zombie” PC will be viewed as suspicious. In contrast, a message coming from a
pharmaceutical company with a positive reputation will not be tagged as spam even if the message
contains words closely correlated with spam.
Related Topics
•
•
Spam Scanning for International Regions
Cisco Anti-Spam is effective world-wide and uses locale-specific content-aware threat detection
techniques. You can also optimize anti-spam scanning for a specific region using a regional rules profile.
techniques. You can also optimize anti-spam scanning for a specific region using a regional rules profile.
•
If you receive a large quantity of spam from a particular region outside of the US, you may want to
use a regional rules profile to help you stop spam from that region.
use a regional rules profile to help you stop spam from that region.
For example, China and Taiwan receive a high percentage of spam in traditional or modern Chinese.
The Chinese regional rules are optimized for this type of spam. If you receive mail primarily for
mainland China, Taiwan, and Hong Kong, Cisco strongly recommends you use the Chinese regional
rules profile included with the anti-spam engine.
The Chinese regional rules are optimized for this type of spam. If you receive mail primarily for
mainland China, Taiwan, and Hong Kong, Cisco strongly recommends you use the Chinese regional
rules profile included with the anti-spam engine.
•
If your spam comes primarily from the US or from no one particular region, do not enable regional
rules because doing so may reduce capture rates for other types of spam. This is because the regional
rules profile optimizes the anti-spam engine for a particular region.
rules because doing so may reduce capture rates for other types of spam. This is because the regional
rules profile optimizes the anti-spam engine for a particular region.
You can enable the regional rules profile when you configure IronPort Anti-Spam Scanning.
Related Topics
•