CISCO EMAIL SECURITY APPLIANCE
ANTI-SPAM, GRAYMAIL, AND SAFE UNSUBSCRIBE
September 2015
Version 1.0
Adrienne McEwan
Cisco Sales Engineer
THE MOST RECENT VERSION OF THIS DOCUMENT CAN BE FOUND HERE:
https://cisco.com/go/emailsecurity-customer
ESA Incoming and Outgoing Content Filters - Best Practices
PURPOSE OF THIS DOCUMENT
3
OVERVIEW OF STEPS
3
STEP 1: CHECK THE FEATURE KEYS
4
STEP 2: ENABLE IRONPORT ANTI-SPAM GLOBALLY
4
STEP 3: ENABLE CENTRALIZED SPAM QUARANTINE
5
STEP 4: CONFIGURE ANTI-SPAM IN POLICIES
5
STEP 5: ENABLE GRAYMAIL DETECTION AND SAFE UNSUBSRIBE GLOBALLY
8
STEP 6: CONFIGURE GRAYMAIL IN POLICIES
9
NEXT STEPS AND SUMMARY
11
2
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA Incoming and Outgoing Content Filters - Best Practices
PURPOSE OF THIS DOCUMENT
Spam and Graymail have become commonplace in the email world and unsubscribing from
these emails can be potentially malicious. Spam is referred to as emails that are received in
your email inbox that are sent out on a mass scale and are unexpected and irrelevant.
Graymail is email that comes from a mailer that a user has signed up for at some point in
time but is unwanted. A few examples include: requesting a coupon or update to be
emailed to you, signing up for a drawing where you were asked for an email address, or
even handing out your business card at a trade show or conference. Graymail is classified
into three categories: Marketing, Social Networking and Bulk messages.
Both spam and graymail include unsubscribe links. However, users have become wary of
these links because adversaries mimic unsubscribe links and use them as phishing
techniques or even to install malicious code on the users device. Cisco’s Email Security
(referred to as ESA moving forward regardless of form factor) now includes safe
unsubscribe that provides a uniform interface for end-users to unsubscribe from a mailer
but do it in a manner that does not allow them to be phished or infected with malware.
OVERVIEW OF STEPS
This document will provide the steps necessary for you to implement some Best Practices
to combat spam and graymail while using the safe unsubscribe feature. Graymail has two
components – the Graymail Marketing Detection engine and the Safe Unsubscribe feature.
The Graymail Detection engine is included with the Anti-Spam engine and Safe
Unsubscribe requires an additional license. For the purposes of this Best Practices
document we are going to use the Intelligent Multi-Scan feature, which requires an
additional feature key. Safe Unsubscribe also requires a feature key called Graymail Safe
Unsubscribe.
After confirmation that the Intelligent Multi-Scan and Graymail Safe Unsubscribe licenses
have been applied, the features these licenses provide need to be enabled. Staring with
Intelligent Multi-Scan, ensure that the feature is enabled. Next, adjust the Global Settings..
Once Intelligent Multi-Scan is enabled globally, it can be configured per policy. PositivelyIdentified Spam and Suspected Spam settings are configured individually and the options
include drop, deliver, bounce, or quarantine the message and prepending the subject line.
Now that Intelligent Multi-Scan has been enabled and configured, ensure that Graymail
detection and Safe Unsubscribing are enabled under the Security Services tab. Once
Graymail Detection and Safe Unsubscribe have been enabled and parameters have been set,
incoming mail policies will need to be configured to utilize these features on a per-policy
basis. Within the policy, there are several options the administrator can determine to utilize.
These include enabling Graymail Detection and Safe Unsubscribe. Safe Unsubscribe is
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
greyed out if Graymail Detection is not enabled within the policy. Additionally, there are
options to prepend a tag to the subject line, send to an alternate host, drop, deliver, bounce
or quarantine graymail individually based on the graymail category it fits into. Again,
graymail categories include marketing email, social network email, and bulk email.
Advanced options include adding a custom header, sending to an alternate host, and
archiving the message.
STEP 1:
CHECKING THE FEATURE KEYS
Checking the Feature Keys:
On the ESA, navigate to: System Administration > Feature Keys
Look for the Intelligent Multi-Scan license and the Graymail Safe Unsubscription license
and make sure they are active.
STEP 2:
ENABLE INTELLIGENT MULTI-SCAN GLOBALLY
On the ESA, navigate to: Security Services > Intelligent Multi-Scan
Click the Enable button.
Clicking Edit Global will take you to the following page. Here you can configure multiple
settings. The recommended settings are shown in the image below.
Submit and Commit your changes.
4
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
STEP 3:
ENABLE CENTRALIZED SPAM QUARANTINE
Since Spam and Graymail have the option to be sent to quarantine, it is important to ensure that the
Spam Quarantine is setup.
Navigate to:
Security Services > Spam Quarantine
Clicking the Configure button will take you to the following page. Here you can enable the
quarantine by checking the enable box and point the quarantine to be centralized on the M-series
Management appliance by giving filling in the M-series Name and IP address. The recommended
settings are shown below.
Submit and Commit your changes.
For more information on setting up and centralizing quarantines, please refer to the Best
Practices document and video that can be found in the following link:
https://cisco.com/go/emailsecurity-customer
STEP 4:
CONFIGURE ANTI-SPAM IN POLICIES
Once Intelligent Multi-Scan has been configured globally, you can now apply Intelligent
Multi-Scan to mail policies.
Navigate to:
Mail Policies > Incoming Mail Policies
5
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
The Incoming Mail Policies will use the global Anti-Spam settings by default. Clicking the blue
link under Anti-Spam will allow for that particular policy to use customized Anti-Spam settings.
Below you will see an example that shows the Default Policy using customized Anti-Spam settings.
Customize Anti-Spam settings for an Incoming Mail Policy:
Click the blue link under Anti-Spam for the policy you wish to customize. You will be
brought to the following page.
6
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
Here you can select the Anti-Spam Scanning option you wish to enable for this policy. You
can choose the Default global policy, the IronPort Anti-Spam service, IronPort Intelligent
Multi-Scan, or you can choose to disable anti-spam from this policy. For the purposes of
this Best Practice document, click the radio button next to Use IronPort Intelligent MultiScan.
The next two sections include Positively-Identified Spam Settings and Suspected Spam
Settings. They are configured individually from each other but include the same options.
Positively-Identified spam is email that is known spam. Suspected Spam is email that has
characteristics of spam, but has not been confirmed as spam yet. To configure PositivelyIdentified Spam Settings and Suspected Spam Settings ensure that either Use IronPort
Intelligent Multi-Scan is selected. Also, please note that the option to enable or disable
suspected spam scanning is available by selecting the radio button in the section for
Suspected Spam Settings.
Emails identified as positively identified spam and suspected spam can be delivered,
dropped, sent to spam quarantine, or bounced with an additional option to send to an
alternate host. Text can be either prepended or appended to the subject line to indicate to
the recipient that the email is known to be spam or suspected spam. The default is [SPAM]
for positively identified spam and [SUSPECTED SPAM] for suspected spam. These
messages can be changed to correspond with company policy or be removed by selecting
None from the dropdown menu.
7
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
Clicking the blue Advanced link in each section will provide more options which include
the ability to add a custom header and a value associated with it, send to an alternate
envelope recipient, and the ability to archive the message. Advanced options look like the
picture below:
Spam Thresholds settings can be changed. The options are to use the default thresholds or
use custom settings, which can be configured for positively identified spam and suspected
spam. The recommended settings are to customize the settings and set the Positively
Identified Spam score to 90 and the Suspected Spam score to 43.
Click Submit and Commit.
STEP 5: ENABLE GRAYMAIL DETECTION AND SAFE
UNSUBSCRIBE GLOBALLY
Navigate to:
Security Services > Graymail Detection and Safe Unsubscribe
Click Edit Global Settings to enable Graymail detection and Safe Unsubscribing.
8
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
Check the box to Enable Graymail Detection and edit the Maximum Message Size to Scan and
Timeout for Scanning Single Message. The recommended defaults are listed.
Click Submit and Commit.
STEP 6:
CONFIGURE GRAYMAIL IN POLICIES
Once Graymail and Safe Unsubscribe have been configured globally, you can now apply
Graymail to mail policies.
Navigate to:
Mail Policies > Incoming Mail Policies
The Incoming Mail Policies will use the global Graymail settings by default. Clicking the blue link
under Graymail will allow for that particular policy to use customized Graymail settings.
9
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
Customize Graymail and Safe Unsubscribe settings for an Incoming Mail Policy:
Click the blue link under Graymail for the policy you wish to customize. You will be
brought to the following page. The recommended settings are shown.
Here you can select the Graymail Settings you wish to enable for this policy.
recommended settings are:
The
Enable Graymail Detection for This Policy: Yes
Enable Graymail Unsubscribing for this Policy: Yes
Perform this action for: “All Messages”
The next three sections include Action on Marketing Email Settings, Action on Social
Network Email Settings, and Action on Bulk Email Settings. They are configured
individually from each other but include the same options. Marketing email is email that is
sent by professional marketing groups. Social Networking emails are emails from social
networks, dating sites, forums, and other similar sites. Bulk email is email that is sent by an
unrecognized marketing group. Configuration of these sections is greyed out if the default
10
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.
ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices
global setting is selected or if Graymail Detection has been disabled for this policy. To
configure Marketing Email Settings, Social Network Email Settings, and/or Bulk Email
Settings ensure that Yes is selected for Enable Graymail Detection for This Policy and then
check the box for the Graymail category you wish to configure.
Emails identified as Marketing emails, Social Networking email, or Bulk email can be
delivered, dropped, sent to spam quarantine, or bounced with an additional option to send
to an alternate host. Text can be either prepended or appended to the subject line to indicate
to the recipient that the email is categorized at Marketing email, Social Network email, or
Bulk email. The default is [MARKETING] for marketing email, [SOCIAL NETWORK]
for social Network email, and [BULK] for Bulk email. These messages can be changed to
correspond with company policy or be removed by selecting No.
Clicking the blue Advanced link in each section will provide more options which include
the ability to add a custom header and a value associated with it, send to an alternate
envelope recipient, and the ability to archive the message. Advanced options look like the
picture below:
Click submit and commit.
Graymail detection should remain disabled for Outgoing Mail Policy.
NEXT STEPS AND SUMMARY
You have now implemented initial Best Practices for Incoming Anti-Spam, Graymail, and
Safe Unsubscribe. You can now go to the Monitor page and add charts for your
convenience. Some charts that may be of interest related to this document include
Incoming Mail > Top Senders by Graymail Messages, Internal Users > Top Users by
Graymail, URL Filtering > Top URLs in Incoming Spam Messages, URL Filtering >
Summary of Top URLs in Incoming Spam Messages and anything else that may be of
interest.
Click submit and commit.
11
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.