antispam graymail and safe unsubscribe

C I S C O E M A I L S E C U R I T Y A P P L I A N C E A N T I - S P A M , G R A Y M A I L , A N D S A F E U N S U B S C R I B E

September 2015 Version 1.0

Adrienne McEwan Cisco Sales Engineer

T H E M O S T R E C E N T V E R S I O N O F T H I S D O C U M E N T C A N B E F O U N D H E R E :

https://cisco.com/go/emailsecurity-customer

ESA Incoming and Outgoing Content Filters - Best Practices

2 2015 Cisco and/or its affiliates. All rights reserved. This document is Customer facing.

PURPOSE OF THIS DOCUMENT 3

OVERVIEW OF STEPS 3

STEP 1: CHECK THE FEATURE KEYS 4

STEP 2: ENABLE IRONPORT ANTI-SPAM GLOBALLY 4

STEP 3: ENABLE CENTRALIZED SPAM QUARANTINE 5

STEP 4: CONFIGURE ANTI-SPAM IN POLICIES 5

STEP 5: ENABLE GRAYMAIL DETECTION AND SAFE UNSUBSRIBE GLOBALLY 8

STEP 6: CONFIGURE GRAYMAIL IN POLICIES 9

NEXT STEPS AND SUMMARY 11

ESA Incoming and Outgoing Content Filters - Best Practices

P U R P O S E O F T H I S D O C U M E N T

Spam and Graymail have become commonplace in the email world and unsubscribing from these emails can be potentially malicious. Spam is referred to as emails that are received in your email inbox that are sent out on a mass scale and are unexpected and irrelevant. Graymail is email that comes from a mailer that a user has signed up for at some point in time but is unwanted. A few examples include: requesting a coupon or update to be emailed to you, signing up for a drawing where you were asked for an email address, or even handing out your business card at a trade show or conference. Graymail is classified into three categories: Marketing, Social Networking and Bulk messages. Both spam and graymail include unsubscribe links. However, users have become wary of these links because adversaries mimic unsubscribe links and use them as phishing techniques or even to install malicious code on the users device. Cisco’s Email Security (referred to as ESA moving forward regardless of form factor) now includes safe unsubscribe that provides a uniform interface for end-users to unsubscribe from a mailer but do it in a manner that does not allow them to be phished or infected with malware.

O V E R V I E W O F S T E P S

This document will provide the steps necessary for you to implement some Best Practices to combat spam and graymail while using the safe unsubscribe feature. Graymail has two components – the Graymail Marketing Detection engine and the Safe Unsubscribe feature. The Graymail Detection engine is included with the Anti-Spam engine and Safe Unsubscribe requires an additional license. For the purposes of this Best Practices document we are going to use the Intelligent Multi-Scan feature, which requires an additional feature key. Safe Unsubscribe also requires a feature key called Graymail Safe Unsubscribe. After confirmation that the Intelligent Multi-Scan and Graymail Safe Unsubscribe licenses have been applied, the features these licenses provide need to be enabled. Staring with Intelligent Multi-Scan, ensure that the feature is enabled. Next, adjust the Global Settings.. Once Intelligent Multi-Scan is enabled globally, it can be configured per policy. Positively-Identified Spam and Suspected Spam settings are configured individually and the options include drop, deliver, bounce, or quarantine the message and prepending the subject line. Now that Intelligent Multi-Scan has been enabled and configured, ensure that Graymail detection and Safe Unsubscribing are enabled under the Security Services tab. Once Graymail Detection and Safe Unsubscribe have been enabled and parameters have been set, incoming mail policies will need to be configured to utilize these features on a per-policy basis. Within the policy, there are several options the administrator can determine to utilize. These include enabling Graymail Detection and Safe Unsubscribe. Safe Unsubscribe is

ESA: Incoming Mail: Anti-Spam, Graymail, and Safe Unsubscribe Best Practices


greyed out if Graymail Detection is not enabled within the policy. Additionally, there are options to prepend a tag to the subject line, send to an alternate host, drop, deliver, bounce or quarantine graymail individually based on the graymail category it fits into. Again, graymail categories include marketing email, social network email, and bulk email. Advanced options include adding a custom header, sending to an alternate host, and archiving the message.

S T E P 1 : C H E C K I N G T H E F E A T U R E K E Y S

Checking the Feature Keys: On the ESA, navigate to: System Administration > Feature Keys Look for the Intelligent Multi-Scan license and the Graymail Safe Unsubscription license and make sure they are active.

S T E P 2 : E N A B L E I N T E L L I G E N T M U L T I - S C A N G L O B A L L Y

On the ESA, navigate to: Security Services > Intelligent Multi-Scan Click the Enable button. Clicking Edit Global will take you to the following page. Here you can configure multiple settings. The recommended settings are shown in the image below.

Submit and Commit your changes.



S T E P 3 : E N A B L E C E N T R A L I Z E D S P A M Q U A R A N T I N E

Since Spam and Graymail have the option to be sent to quarantine, it is important to ensure that the Spam Quarantine is setup. Navigate to: Security Services > Spam Quarantine Clicking the Configure button will take you to the following page. Here you can enable the quarantine by checking the enable box and point the quarantine to be centralized on the M-series Management appliance by giving filling in the M-series Name and IP address. The recommended settings are shown below.

Submit and Commit your changes. For more information on setting up and centralizing quarantines, please refer to the Best Practices document and video that can be found in the following link: https://cisco.com/go/emailsecurity-customer

S T E P 4 : C O N F I G U R E A N T I - S P A M I N P O L I C I E S

Once Intelligent Multi-Scan has been configured globally, you can now apply Intelligent Multi-Scan to mail policies. Navigate to: Mail Policies > Incoming Mail Policies



The Incoming Mail Policies will use the global Anti-Spam settings by default. Clicking the blue link under Anti-Spam will allow for that particular policy to use customized Anti-Spam settings. Below you will see an example that shows the Default Policy using customized Anti-Spam settings.

Customize Anti-Spam settings for an Incoming Mail Policy: Click the blue link under Anti-Spam for the policy you wish to customize. You will be brought to the following page.



Here you can select the Anti-Spam Scanning option you wish to enable for this policy. You can choose the Default global policy, the IronPort Anti-Spam service, IronPort Intelligent Multi-Scan, or you can choose to disable anti-spam from this policy. For the purposes of this Best Practice document, click the radio button next to Use IronPort Intelligent Multi-Scan. The next two sections include Positively-Identified Spam Settings and Suspected Spam Settings. They are configured individually from each other but include the same options. Positively-Identified spam is email that is known spam. Suspected Spam is email that has characteristics of spam, but has not been confirmed as spam yet. To configure Positively-Identified Spam Settings and Suspected Spam Settings ensure that either Use IronPort Intelligent Multi-Scan is selected. Also, please note that the option to enable or disable suspected spam scanning is available by selecting the radio button in the section for Suspected Spam Settings. Emails identified as positively identified spam and suspected spam can be delivered, dropped, sent to spam quarantine, or bounced with an additional option to send to an alternate host. Text can be either prepended or appended to the subject line to indicate to the recipient that the email is known to be spam or suspected spam. The default is [SPAM] for positively identified spam and [SUSPECTED SPAM] for suspected spam. These messages can be changed to correspond with company policy or be removed by selecting None from the dropdown menu.



Clicking the blue Advanced link in each section will provide more options which include the ability to add a custom header and a value associated with it, send to an alternate envelope recipient, and the ability to archive the message. Advanced options look like the picture below:

Spam Thresholds settings can be changed. The options are to use the default thresholds or use custom settings, which can be configured for positively identified spam and suspected spam. The recommended settings are to customize the settings and set the Positively Identified Spam score to 90 and the Suspected Spam score to 43. Click Submit and Commit.

S T E P 5 : E N A B L E G R A Y M A I L D E T E C T I O N A N D S A F E U N S U B S C R I B E G L O B A L L Y

Navigate to: Security Services > Graymail Detection and Safe Unsubscribe Click Edit Global Settings to enable Graymail detection and Safe Unsubscribing.



Check the box to Enable Graymail Detection and edit the Maximum Message Size to Scan and Timeout for Scanning Single Message. The recommended defaults are listed.

Click Submit and Commit.

S T E P 6 : C O N F I G U R E G R A Y M A I L I N P O L I C I E S

Once Graymail and Safe Unsubscribe have been configured globally, you can now apply Graymail to mail policies. Navigate to: Mail Policies > Incoming Mail Policies The Incoming Mail Policies will use the global Graymail settings by default. Clicking the blue link under Graymail will allow for that particular policy to use customized Graymail settings.



Customize Graymail and Safe Unsubscribe settings for an Incoming Mail Policy: Click the blue link under Graymail for the policy you wish to customize. You will be brought to the following page. The recommended settings are shown.

Here you can select the Graymail Settings you wish to enable for this policy. The recommended settings are: Enable Graymail Detection for This Policy: Yes Enable Graymail Unsubscribing for this Policy: Yes Perform this action for: “All Messages” The next three sections include Action on Marketing Email Settings, Action on Social Network Email Settings, and Action on Bulk Email Settings. They are configured individually from each other but include the same options. Marketing email is email that is sent by professional marketing groups. Social Networking emails are emails from social networks, dating sites, forums, and other similar sites. Bulk email is email that is sent by an unrecognized marketing group. Configuration of these sections is greyed out if the default



global setting is selected or if Graymail Detection has been disabled for this policy. To configure Marketing Email Settings, Social Network Email Settings, and/or Bulk Email Settings ensure that Yes is selected for Enable Graymail Detection for This Policy and then check the box for the Graymail category you wish to configure. Emails identified as Marketing emails, Social Networking email, or Bulk email can be delivered, dropped, sent to spam quarantine, or bounced with an additional option to send to an alternate host. Text can be either prepended or appended to the subject line to indicate to the recipient that the email is categorized at Marketing email, Social Network email, or Bulk email. The default is [MARKETING] for marketing email, [SOCIAL NETWORK] for social Network email, and [BULK] for Bulk email. These messages can be changed to correspond with company policy or be removed by selecting No. Clicking the blue Advanced link in each section will provide more options which include the ability to add a custom header and a value associated with it, send to an alternate envelope recipient, and the ability to archive the message. Advanced options look like the picture below:

Click submit and commit. Graymail detection should remain disabled for Outgoing Mail Policy.

N E X T S T E P S A N D S U M M A R Y

You have now implemented initial Best Practices for Incoming Anti-Spam, Graymail, and Safe Unsubscribe. You can now go to the Monitor page and add charts for your convenience. Some charts that may be of interest related to this document include Incoming Mail > Top Senders by Graymail Messages, Internal Users > Top Users by Graymail, URL Filtering > Top URLs in Incoming Spam Messages, URL Filtering > Summary of Top URLs in Incoming Spam Messages and anything else that may be of interest. Click submit and commit.

antispam graymail and safe unsubscribe

Documents