Cisco Cisco Email Security Appliance X1070 故障排查指南
Cisco Email Security Appliance (ESA) Anti−Spam
Efficacy Checklist
Efficacy Checklist
Document ID: 118220
Contributed by Chris Haag and Stephan Bayer, Cisco TAC Engineers.
Aug 06, 2014
Aug 06, 2014
Contents
Basic Setup
Enable SBNP
SBRS Rationale
The following procedures and recommendations are "best practices" for reducing the amount of spam getting
through the ESA. Note that every customer is different and that some of these recommendations may increase
the number of legitimate emails classified as spam (false positives).
Enable SBNP
SBRS Rationale
The following procedures and recommendations are "best practices" for reducing the amount of spam getting
through the ESA. Note that every customer is different and that some of these recommendations may increase
the number of legitimate emails classified as spam (false positives).
Basic Setup
Make sure Anti−Spam is turned on:
Check to make sure that all your MX records (including lower priority) MX records are
relaying mail through ESAs.
relaying mail through ESAs.
a.
Make sure your appliances have a valid Anti−Spam feature key.
b.
Ensure Anti−Spam is enabled for all appropriate incoming mail policies.
c.
1.
Verify that you are receiving anti−spam rule updates. Check to confirm that the most recent time
stamps for updates under Security Services > Anti−Spam are from within the last 2 hours.
stamps for updates under Security Services > Anti−Spam are from within the last 2 hours.
2.
Make sure that messages are being scanned by Anti−Spam:
Check a sample of missed spam messages for the following header:
X−IronPort−Anti−Spam−Result:
X−IronPort−Anti−Spam−Result:
a.
If that header is missing:
Check to make sure you do not have any Whitelist entries or filters causing spam to
bypass spam scanning (see below).
bypass spam scanning (see below).
◊
Check to make sure that messages are not bypassing scanning because they exceed
the maximum messages scan size (default is 262144 bytes). Reducing this setting
does not greatly improve performance and can result in missed SPAM. During an
evaluation, it's also important to make sure the IPAS setting is the same as any other
products being tested.
the maximum messages scan size (default is 262144 bytes). Reducing this setting
does not greatly improve performance and can result in missed SPAM. During an
evaluation, it's also important to make sure the IPAS setting is the same as any other
products being tested.
◊
Go through each HAT entry and confirm that "spam_check=on" for all inbound mail
flow policies. As long as the default has "spam_check= on", and none of the mail
flow policies explicitly turn it off, this is configured properly. Pay special attention to
the TRUSTED/WHITELIST settings. Often times customers inadvertently add a
sender to their Whitelist that is forwarding spam − for example, by adding the domain
of an ISP or partner that forwards both spam and legitimate email to the WHITELIST
sender group.
flow policies. As long as the default has "spam_check= on", and none of the mail
flow policies explicitly turn it off, this is configured properly. Pay special attention to
the TRUSTED/WHITELIST settings. Often times customers inadvertently add a
sender to their Whitelist that is forwarding spam − for example, by adding the domain
of an ISP or partner that forwards both spam and legitimate email to the WHITELIST
sender group.
◊
b.
3.