2. Computers & electronics
  3. Software
  4. Cisco
  5. Cloud Email Security

Cisco Cloud Email Security, Hybrid Email Security , MANAGED EMAIL SECURITY User guide

  • Hello! I am an AI chatbot trained to assist you with the Cisco Cloud Email Security User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD
(General Deployment)
First Published: 2019-07-01
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2019 Cisco Systems, Inc. All rights reserved.
CONTENTS
Getting Started with Cisco Email Security 1
CHAPTER 1
What's New in AsyncOS 12.5 1
Where to Find More Information 7
Documentation 8
Training 8
Cisco Notification Service 9
Knowledge Base 9
Cisco Support Community 9
Cisco Customer Support 9
Third Party Contributors 10
Cisco Welcomes Your Comments 10
Registering for a Cisco Account 10
Cisco Email Security Appliance Overview 10
Supported Languages 11
Accessing the Appliance 13
CHAPTER 2
Web-based Graphical User Interface (GUI) 13
Browser Requirements 13
Accessing the GUI 14
Factory Default Username and Passphrase 14
Centralized Management 14
Cloud Administrator - Web Interface Access 15
Enhanced User Experience using How-Tos Widget 15
Disabling How-Tos Widget on the Appliance 16
Changing Configuration Settings 16
Configuration Changes 16
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
iii
Commit or Abandoning Changes 16
Command Line Interface (CLI) 17
Cloud Administrator - CLI Access 17
Setup and Installation 19
CHAPTER 3
Installation Planning 19
Review Information That Impacts Planning Decisions 19
Plan to Place the Email Security Appliance at the Perimeter of Your Network 19
Register the Email Security Appliance in DNS 20
Installation Scenarios 21
Configuration Overview 21
Incoming 21
Outgoing 21
Ethernet Interfaces 21
Hardware Ports 22
Advanced Configurations 22
Firewall Settings (NAT, Ports) 22
Physically Connecting the Email Security Appliance to the Network 22
Configuration Scenarios 23
Segregating Incoming and Outgoing Mail 23
Preparing for System Setup 26
Determine Method for Connecting to the Appliance 27
Connecting to the Appliance 27
Determining Network and IP Address Assignments 27
Default IP Addresses for Management and Data Ports 28
Choosing Network Connections to Receive and Deliver Email 28
Binding Logical IP Addresses to Physical Ethernet Ports 28
Choosing Network Settings for Your Connections 28
Gathering the Setup Information 29
Using the System Setup Wizard 32
Accessing the Web-Based Graphical User Interface (GUI) 32
Factory Default Username and Passphrase 33
Defining Basic Configuration Using the Web-Based System Setup Wizard 33
Step 1: Start 34
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
iv
Contents
Step 2: System 34
Step 3: Network 36
Step 4: Security 40
Step 5: Review 41
Setting up the Connection to Active Directory 41
Proceeding to the Next Steps 42
Accessing the Command Line Interface (CLI) 42
Factory Default Username and Passphrase 42
Running the Command Line Interface (CLI) System Setup Wizard 43
Change the Admin Passphrase 44
Accept the License Agreement 44
Set the Hostname 44
Assign and Configure Logical IP Interface(s) 44
Specify the Default Gateway 45
Enable the Web Interface 45
Configure the DNS Settings 46
Create a Listener 46
Enable Anti-Spam 53
Select a Default Anti-Spam Scanning Engine 54
Enable the Spam Quarantine 54
Enable Anti-Virus Scanning 54
Enable Outbreak Filters and SenderBase Email Traffic Monitoring Network 54
Configure the Alert Settings and AutoSupport 55
Configure Scheduled Reporting 55
Configure Time Settings 55
Commit Changes 55
Test the Configuration 56
Immediate Alerts 56
Configuring your system as an Enterprise Gateway 56
Verifying Your Configuration and Next Steps 57
Understanding the Email Pipeline 59
CHAPTER 4
Overview of the Email Pipeline 59
Email Pipeline Flows 59
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
v
Contents
Incoming / Receiving 62
Host Access Table (HAT), Sender Groups, and Mail Flow Policies 62
Received: Header 63
Default Domain 63
Bounce Verification 63
Domain Map 63
Recipient Access Table (RAT) 63
Alias Tables 63
LDAP Recipient Acceptance 64
SMTP Call-Ahead Recipient Validation 64
Work Queue / Routing 64
Email Pipeline and Security Services 64
LDAP Recipient Acceptance 65
Masquerading or LDAP Masquerading 65
LDAP Routing 65
Message Filters 66
Email Security Manager (Per-Recipient Scanning) 66
Safelist/Blocklist Scanning 66
Anti-Spam 66
Anti-Virus 66
Graymail Detection and Safe Unsubscribing 67
File Reputation Scanning and File Analysis 67
Content Filters 67
Outbreak Filters 67
Quarantines 67
Delivery 68
Virtual gateways 68
Delivery Limits 68
Domain-Based Limits 68
Domain-Based Routing 69
Global Unsubscribe 69
Bounce Limits 69
Configuring the Gateway to Receive Email 71
CHAPTER 5
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
vi
Contents
Overview of Configuring the Gateway to Receive Email 71
Working with Listeners 72
Configuring Global Settings for Listeners 74
Settings for Messages Containing Multiple Encodings 76
Listening for Connection Requests by Creating a Listener Using Web Interface 77
Partial Domains, Default Domains, and Malformed MAIL FROMs 81
Listening for Connection Requests by Creating a Listener Using CLI 81
Advanced HAT Parameters 82
Enterprise Gateway Configuration 84
Sender Reputation Filtering 85
CHAPTER 6
Overview of Sender Reputation Filtering 85
SenderBase Reputation Service 85
SenderBase Reputation Score (SBRS) 86
How SenderBase Reputation Filters Work 87
Recommended Settings for Different Sender Reputation Filtering Approaches 88
Editing Sender Reputation Filtering Score Thresholds for a Listener 88
Testing Sender Reputation Filtering Using the SBRS 89
Monitoring the Status of the SenderBase Reputation Services 91
Entering Low SBRS Scores in the Message Subject 91
Defining Which Hosts Are Allowed to Connect Using the Host Access Table 93
CHAPTER 7
Overview of Defining Which Hosts Are Allowed to Connect 93
Default HAT Entries 94
Defining Remote Hosts into Sender Groups 94
Sender Group Syntax 95
Sender Groups Defined by Network Owners, Domains, and IP Addresses 96
Setting Policies Based on the HAT 97
Defining Sender Groups by SenderBase Reputation Score 98
Sender Groups Defined by Querying DNS Lists 99
Defining Access Rules for Email Senders Using Mail Flow Policies 99
HAT Variable Syntax 100
Using HAT Variables 101
Testing HAT Variables 102
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
vii
Contents
Understanding Predefined Sender Groups and Mail Flow Policies 102
Handling Messages from a Group of Senders in the Same Manner 104
Creating a Sender Group for Message Handling 104
Adding a Sender to an Existing Sender Group 105
Rearranging the Order of the Rules to Perform for Incoming Connections 106
Searching for Senders 106
Defining Rules for Incoming Messages Using a Mail Flow Policy 106
Defining Default Values for Mail Flow Policies 112
Working with the Host Access Table Configuration 112
Exporting the Host Access Table Configuration to an External File 112
Importing the Host Access Table Configuration from an External File 112
Using a List of Sender Addresses for Incoming Connection Rules 113
SenderBase Settings and Mail Flow Policies 114
Timeouts for SenderBase Queries 114
HAT Significant Bits Feature 115
HAT Configuration 115
Significant Bits HAT Policy Option 115
Injection Control Periodicity 116
Verifying Senders 116
Sender Verification: Host 116
Sender Verification: Envelope Sender 117
Partial Domains, Default Domains, and Malformed MAIL FROMs 118
Custom SMTP Code and Response 118
Sender Verification Exception Table 119
Implementing Sender Verification — Example Settings 119
Throttling Messages from Unverified Senders Using the SUSPECTLIST Sender Group 120
Implementing More Stringent Throttling Settings for Unverified Senders 120
Defining Messages to Send to Unverified Senders Using the ACCEPTED Mail Flow Policy 121
Excluding Unverified Senders from Sender Verification Rules Based on Senders Email Address
121
Searching for Addresses within the Sender Verification Exception Table 121
Testing Your Settings for Messages from Unverified Senders 121
Sending a Test Message with a Malformed MAIL FROM Sender Address 122
Sending a Message from an Address That is Excluded from Sender Verification Rules 122
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
viii
Contents
Sender Verification and Logging 123
Envelope Sender Verification 123
Accepting or Rejecting Connections Based on Domain Name or Recipient Address 125
CHAPTER 8
Overview of Accepting or Rejecting Connections Based on the Recipient’s Address 125
Overview of the Recipient Access Table (RAT) 126
Accessing the RAT using the GUI 126
Accessing the RAT using the CLI 126
Editing the Default RAT Entry 126
Domains and Users 127
Adding Domains and Users For Which to Accept Messages 127
Defining Recipient Addresses 128
Bypassing LDAP Accept for Special Recipients 128
Bypassing Throttling for Special Recipients 129
Rearranging the Order of Domains and Users in the Recipient Access Table 129
Exporting the Recipient Access Table to an External File 129
Importing the Recipient Access Table from an External File 130
Using Message Filters to Enforce Email Policies 131
CHAPTER 9
Overview 131
Components of a Message Filter 132
Message Filter Rules 132
Message Filter Actions 132
Message Filter Example Syntax 133
Message Filter Processing 134
Message Filter Order 135
Message Header Rules and Evaluation 135
Message Bodies vs. Message Attachments 135
Thresholds for Matches in Content Scanning 136
Threshold Syntax 137
Threshold Scoring for Message Bodies and Attachments 137
Threshold Scoring Multipart/Alternative MIME Parts 137
Threshold Scoring for Content Dictionaries 138
AND Test and OR Tests in Message Filters 139
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
ix
Contents
Message Filter Rules 139
Filter Rules Summary Table 140
Regular Expressions in Rules 150
Using Regular Expressions to Filter Messages 152
Guidelines for Using Regular Expressions 152
Regular Expression and Non-ASCII Character Sets 152
n Tests 153
Case-sensitivity 153
Writing Efficient Filters 153
PDFs and Regular Expressions 154
Smart Identifiers 154
Smart Identifier Syntax 155
Description and Examples of Message Filter Rules 155
True Rule 156
Valid Rule 157
Subject Rule 157
Envelope Recipient Rule 157
Envelope Recipient in Group Rule 158
Envelope Sender Rule 158
Envelope Sender in Group Rule 159
Sender Group Rule 159
Body Size Rule 159
Remote IP Rule 160
Receiving Listener Rule 160
Receiving IP Interface Rule 161
Date Rule 161
Header Rule 161
Random Rule 162
Recipient Count Rule 163
Address Count Rule 163
Body Scanning Rule 163
Body Scanning 164
Encryption Detection Rule 164
Attachment Type Rule 165
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
x
Contents
Attachment Filename Rule 165
DNS List Rule 166
SenderBase Reputation Rule 167
Dictionary Rules 167
SPF-Status Rule 169
SPF-Passed Rule 171
S/MIME Gateway Message Rule 171
S/MIME Gateway Verified Rule 171
Workqueue-count Rule 171
SMTP Authenticated User Match Rule 172
Signed Rule 173
Signed Certificate Rule 174
Header Repeats Rule 176
URL Reputation Rules 178
URL Category Rule 179
Corrupt Attachment Rule 179
Message Language Rule 180
Macro Detection Rule 181
Forged Email Detection Rule 181
Duplicate Boundaries Verification Rule 182
Malformed MIME Header Detection Rule 182
Geolocation Rule 183
Domain Reputation Rule for ETF 183
Domain Reputation Rule for SDR 184
Message Filter Actions 185
Filter Actions Summary Table 186
Attachment Groups 192
Action Variables 195
Non-ASCII Character Sets and Message Filter Action Variables 197
Matched Content Visibility 197
Description and Examples of Message Filter Actions 198
Skip Remaining Message Filters Action 199
Drop Action 199
Bounce Action 200
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xi
Contents
Encrypt Action 200
S/MIME Sign or Encrypt on Delivery Action 200
S/MIME Sign or Encrypt Action 200
Notify and Notify-Copy Actions 201
Blind Carbon Copy Actions 203
Quarantine and Duplicate Actions 205
Alter Recipient Action 206
Alter Delivery Host Action 206
Alter Source Host (Virtual Gateway address) Action 207
Archive Action 207
Strip Header Action 208
Insert Header Action 208
Edit Header Text Action 209
Edit Body Text Action 209
HTML Convert Action 210
Bounce Profile Action 211
Bypass Anti-Spam System Action 211
Bypassing Graymail Actions 212
Bypass Anti-Virus System Action 212
Bypass File Reputation Filtering and File Analysis System Actions 213
Bypass Outbreak Filter Scanning Action 213
Add Message Tag Action 213
Add Log Entry Action 214
URL Reputation Actions 214
URL Category Actions 216
No Operation 217
Forged Email Detection Action 217
Attachment Scanning 217
Message Filters for Scanning Attachments 219
Image Analysis 220
Configuring the Image Analysis Scanning Engine 220
Tuning Image Analysis Settings 221
Configuring the Message Filter to Perform Actions Based on Image Analysis Results 222
Creating Content Filters to Strip Attachments Based on Image Analysis Verdicts 223
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xii
Contents
Configuring an Action Based on Image Analysis Verdicts 223
Notifications 224
Examples of Attachment Scanning Message Filters 224
Inserting Headers 224
Dropping Attachments by File Type 225
Dropping Attachments by Dictionary Matches 226
Quarantining Protected Attachments 227
Detecting Unprotected Attachments 227
Detecting Malicious Files in Messages Attachments Using Message Filter 227
Using the CLI to Manage Message Filters 228
Creating a New Message Filter 229
Deleting a Message Filter 230
Moving a Message Filter 230
Activating and Deactivating a Message Filter 230
Activating or Deactivating a Message Filter 233
Importing Message Filters 233
Exporting Message Filters 234
Viewing Non-ASCII Character Sets 234
Displaying a Message Filter List 234
Displaying Message Filter Details 234
Configuring Filter Log Subscriptions 235
Changing Message Encoding 236
Sample Message Filters 237
Message Filter Examples 242
Open-Relay Prevention Filter 243
Policy Enforcement Filters 243
Notify Based on Subject Filter 243
BCC and Scan Mail Sent to Competitors 244
Block Specific User Filter 244
Archive and Drop Messages Filter 244
Large “To:” Header Filter 245
Blank “From:” Filter 245
SBRS Filter 245
Alter SBRS Filter 246
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xiii
Contents
Filename Regex Filter 246
Show SenderBase Reputation Score in Header Filter 246
Insert Policy into Header Filter 246
Too Many Recipients Bounce Filter 246
Routing and Domain Spoofing 247
Using Virtual Gateways Filter 247
Same Listener for Deliver and Listener Filter 247
Single Listener Filter 247
Drop Spoofed Domain Filter (Single Listener) 248
Drop Spoofed Domain Filter (Multiple Listeners) 248
Another Drop Spoofed Domain Filter 248
Detect Looping Filter 249
Configuring Scan Behavior 250
Configuring Message Handling Actions for Unscannable Messages 251
Delivering the Message 252
Sending Message to Policy Quarantine 253
Mail Policies 255
CHAPTER 10
Overview of Mail Policies 255
How to Enforce Mail Policies on a Per-User Basis 256
Handling Incoming and Outgoing Messages Differently 257
Matching Users to a Mail Policy 257
First Match Wins 258
Examples of Policy Matching 258
Example 1 259
Example 2 259
Example 3 259
Message Splintering 259
Managed Exceptions 261
Configuring Mail Policies 261
Configuring the Default Mail Policy for Incoming or Outgoing Messages 261
Creating a Mail Policy for a Group of Senders and Recipients 262
Defining Senders and Recipients for Mail Policies 262
Examples 264
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xiv
Contents
Finding Which Policies Apply to a Sender or Recipient 265
Managed Exceptions 265
Setting Priority for Message Headers 266
Content Filters 267
CHAPTER 11
Overview of Content Filters 267
How Content Filters Work 267
How to Scan Message Content Using a Content Filter 268
Content Filter Conditions 268
Content Filter Actions 276
Action Variables 283
How to Filter Messages Based on Content 284
Creating a Content Filter 285
Enabling Content Filters for All Recipients by Default 286
Applying the Content Filter to Messages for a Certain User Group 286
Notes on Configuring Content Filters in the GUI 287
Configuring Email Gateway to Consume External Threat Feeds 289
CHAPTER 12
Overview of External Threat Feeds 289
How to Configure Email Gateway to Consume External Threat Feeds 290
Obtaining External Threat Feeds Feature Key 290
Enabling External Threat Feeds Engine on Email Gateway 292
Configuring an External Threat Feed Source 292
Handling Messages Containing Threats 295
Configuring a Sender Group for Handling Messages containing Threats 296
Configuring Content or Message Filters for Handling Messages Containing Threats 296
Detecting Malicious Domains in Messages Using Content Filter 296
Creating Domain Exception List 297
Detecting Malicious Domains in Messages Using Message Filter 297
Detecting Malicious URLs in Messages Using Content Filter 298
Detecting Malicious URLs in Messages Using Message Filter 299
Detecting Malicious Files in Message Attachments Using Content Filter 301
Creating File Hash List 302
Detecting Malicious Files in Messages Attachments Using Message Filter 302
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xv
Contents
Attaching Content Filter to Incoming Mail Policy 302
External Threat Feeds and Clusters 303
Monitoring External Threat Feeds Engine Updates 303
Viewing Alerts 303
Displaying Threat Details in Message Tracking 304
Sender Domain Reputation Filtering 305
CHAPTER 13
Overview of Sender Domain Reputation Filtering 305
SDR Verdicts 305
How to Filter Messages based on Sender Domain Reputation 307
Enabling Sender Domain Reputation Filtering on Email Gateway 308
Configuring Message or Content Filter for Handling Messages based on Sender Domain Reputation
309
Filtering Messages based on Sender Domain Reputation using Message Filter 309
Filtering Messages based on Sender Domain Reputation using Content Filter 311
Creating Domain Exception List 311
Attaching Content Filter to Incoming Mail Policy 312
Sender Domain Reputation Filtering and Clusters 312
Displaying Sender Domain Reputation Details in Message Tracking 313
Viewing Alerts 313
Viewing Logs 313
Examples of SDR Filtering Log Entries 313
Sender Domain Reputation Authentication Failure 314
Sender Domain Reputation Request Timeout 314
Sender Domain Reputation Invalid Host 314
Sender Domain Reputation General Errors 315
Anti-Virus 317
CHAPTER 14
Anti-Virus Scanning Overview 317
Evaluation Key 318
Scanning Messages with Multiple Anti-Virus Scanning Engines 318
Sophos Anti-Virus Filtering 318
Virus Detection Engine 319
Virus Scanning 319
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xvi
Contents
Detection Methods 319
Pattern Matching 319
Heuristics 320
Emulation 320
Virus Descriptions 320
Sophos Alerts 320
When a Virus is Found 320
McAfee Anti-Virus Filtering 321
Pattern-Matching Virus Signatures 321
Encrypted Polymorphic Virus Detection 321
Heuristics Analysis 321
When a Virus is Found 322
How to Configure the Appliance to Scan for Viruses 322
Enabling Virus Scanning and Configuring Global Settings 323
Configuring Virus Scanning Actions for Users 323
Message Scanning Settings 324
Message Handling Settings 324
Configuring Settings for Message Handling Actions 325
Configuring the Anti-Virus Policies for Different Groups of Senders and Recipients 328
Notes on Anti-Virus Configurations 329
Flow Diagram for Anti-Virus Actions 330
Sending an Email to the Appliance to Test Anti-Virus Scanning 331
Updating Virus Definitions 332
About Retrieving Anti-Virus Updates via HTTP 333
Configuring Update Server Settings 333
Monitoring and Manually Checking for Anti-Virus Updates 333
Manually Updating Anti-Virus Engines 333
Verifying Anti-Virus Files Have Updated on the Appliance 333
Managing Spam and Graymail 335
CHAPTER 15
Overview of Anti-Spam Scanning 335
Anti-Spam Solutions 336
How to Configure the Appliance to Scan Messages for Spam 336
IronPort Anti-Spam Filtering 337
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xvii
Contents
Evaluation Key 337
Cisco Anti-Spam: an Overview 338
Spam Scanning for International Regions 338
Configuring IronPort Anti-Spam Scanning 339
Configuring Intelligent Multi-Scan and Graymail Detection 340
Configuring Cisco Intelligent Multi-Scan 340
Managing Graymail 341
Overview of Graymail 342
Graymail Management Solution in Email Security Appliance 342
How Graymail Management Solution Works 343
Configuring Graymail Detection and Safe Unsubscribing 345
Troubleshooting Graymail Detection and Safe Unsubscribing 349
Configuring Global Settings for Intelligent Multi-Scan and Graymail Detection 350
Defining Anti-Spam Policies 350
Understanding Positive and Suspect Spam Thresholds 353
Configuration Examples: Actions for Positively Identified versus Suspected Spam 354
Unwanted Marketing Messages From Legitimate Sources 354
Using Custom Headers to Redirect URLs in Suspected Spam to the Cisco Web Security Proxy:
Configuration Example 354
Enabling Different Anti-Spam Scanning Engines in Different Mail Policies: Configuration Example
355
Protecting Appliance -Generated Messages From the Spam Filter 357
Headers Added During Anti-Spam Scanning 357
Reporting Incorrectly Classified Messages to Cisco 358
How to Report Incorrectly Classified Messages to Cisco 358
How to Report Incorrectly Classified Messages to Cisco 359
Using Cisco Email Security Plug-In 360
Using Cisco Email Submission and Tracking Portal 360
Forwarding Incorrectly Classified Message as an Attachment 361
How to Track Your Submissions 362
Determining Sender IP Address In Deployments with Incoming Relays 362
Example Environments with Incoming Relays 363
Configuring the Appliance to Work with Incoming Relays 364
Enabling the Incoming Relays Feature 364
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xviii
Contents
Adding an Incoming Relay 364
Message Headers for Relayed Messages 366
How Incoming Relays Affect Functionality 369
Incoming Relays and Filters 369
Incoming Relays, HAT, SBRS, and Sender Groups 370
Incoming Relays and Directory Harvest Attack Prevention 370
Incoming Relays and Trace 370
Incoming Relays and Email Security Monitor (Reporting) 370
Incoming Relays and Message Tracking 370
Incoming Relays and Logging 370
Configuring Logs to Specify Which Headers Are Used 371
Monitoring Rules Updates 371
Testing Anti-Spam 372
Sending an Email to the Appliance to Test Cisco Anti-Spam 373
Testing Anti-Spam Configuration: Example Using SMTP 373
Ways Not to Test Anti-Spam Efficacy 374
Outbreak Filters 375
CHAPTER 16
Overview of Outbreak Filters 375
How Outbreak Filters Work 375
Delaying, Redirecting, and Modifying Messages 376
Threat Categories 376
Virus Outbreaks 377
Phishing, Malware Distribution, and Other Non-Viral Threats 377
Cisco Security Intelligence Operations 377
Context Adaptive Scanning Engine 378
Delaying Messages 378
Redirecting URLs 379
Modifying Messages 380
Types of Rules: Adaptive and Outbreak 380
Outbreak Rules 380
Adaptive Rules 380
Outbreaks 381
Threat Levels 381
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xix
Contents
Guidelines for Setting Your Quarantine Threat Level Threshold 381
Containers: Specific and Always Rules 382
How the Outbreak Filters Feature Works 382
Message Scoring 383
Dynamic Quarantine 383
Outbreak Lifecycle and Rules Publishing 384
Managing Outbreak Filters 385
Configuring Outbreak Filters Global Settings 386
Enabling the Outbreak Filters Feature 386
Enabling Adaptive Rules 387
Enabling Alerts for Outbreak Filters 387
Enabling Logging of URLs and Message Tracking Details for URLs 387
Outbreak Filters Rules 388
Managing Outbreak Filter Rules 388
The Outbreak Filters Feature and Mail Policies 389
Setting a Quarantine Level Threshold 390
Maximum Quarantine Retention 390
Bypassing File Extension Types 390
Message Modification 391
The Outbreak Filters Feature and the Outbreak Quarantine 393
Monitoring the Outbreak Quarantine 393
Outbreak Quarantine and the Manage by Rule Summary View 394
Monitoring Outbreak Filters 395
Outbreak Filters Report 395
Outbreak Filters Overview and Rules Listing 396
Outbreak Quarantine 396
Alerts, SNMP Traps, and Outbreak Filters 396
Troubleshooting The Outbreak Filters Feature 396
Reporting Incorrectly Classified Messages to Cisco 396
Multiple Attachments and Bypassed Filetypes 397
Message and Content Filters and the Email Pipeline 397
Protecting Against Malicious or Undesirable URLs 399
CHAPTER 17
URL-Related Protections and Controls 399
User Guide for AsyncOS 12.5 for Cisco Cloud Email Security - GD (General Deployment)
xx
Contents
/