Transcription
Best Practice Guide for Anti-Spam, AntiVirus, Graymail and Outbreak FiltersContentsOverviewAnti-SpamVerify feature keyEnable Intelligent Multi-Scan (IMS) globallyEnable centralized spam quarantineConfigure Anti-Spam in policiesAnti-VirusVerify feature keysEnable Anti-Virus scanningConfigure Anti-Virus in mail policiesGraymailVerify feature keyEnable Graymail and Safe Unsubscribe servicesConfigure Graymail and Safe Unsubscribe in policiesOutbreak FiltersVerify feature keyEnable Outbreak Filters serviceConfigure Outbreak Filters in policiesConclusionOverviewThe vast majority of threats, attacks, and nuisances faced by an organization through email comein the form of spam, malware, and blended attacks. Cisco’s Email Security Appliance (ESA)includes several different technologies and features to cut these threats off at the gateway beforethey enter the organization. This document will describe the best practice approaches to configureAnti-Spam, Anti-Virus, Graymail and Outbreak Filters, on both the inbound and outbound emailflow.Anti-SpamAnti-Spam protection addresses a full range of known threats including spam, phishing andzombie attacks, as well as hard-to-detect low volume, short-lived email threats such as “419”scams. In addition, Anti-Spam protection identifies new and evolving blended threats such asspam attacks distributing malicious content through a download URL or an executable.Cisco Email Security offers the following anti-spam solutions: IronPort Anti-Spam Filtering (IPAS)Cisco Intelligent Multi-Scan Filtering (IMS)
You can license and enable both solutions on your ESA but only can use one in a particular mailpolicy. For the purpose of this best practice document, we are going to use the IMS feature.Verify feature key On the ESA, navigate to System Administration Feature KeysLook for the Intelligent Multi-Scan license and make sure it is active.Enable Intelligent Multi-Scan (IMS) globally On the ESA, navigate to Security Services IMS and GraymailClick the Enablebutton on IMS Global Settings:Look for Common Global Settings and click Edit Global SettingsHere you can configure multiple settings. The recommended settings are shown in the imagebelow:Click Submitand Commit your changes.If you do not have an IMS license subscription: Navigate to Security Services IronPort Anti-SpamClick the Enablebutton on IronPort Anti-Spam OverviewClick Edit Global SettingsHere you can configure multiple settings. The recommended settings are shown in the imagebelow:
Cisco recommends selecting Aggressive Scanning Profile for a customer who desires astrong emphasis on blocking spam.Click Submitand Commit your changesEnable centralized spam quarantineSince Anti-Spam has the option to be sent to quarantine, it is important to ensure that the spamquarantine is set up: Navigate to Security Services Spam QuarantineClicking the Configurebutton will take you to the following page.Here you can enable the quarantine by checking the enablebox and pointthe quarantine to be centralized on a SecurityManagement Appliance (SMA) byfilling in theSMANameand IP address. The recommended settings are shown below: Click Submitand Commit your changes For more information on setting up and centralized quarantines, please refer to the Best Practicesdocument:Best Practices for Centralized Policy, Virus and Outbreak Quarantines Setup, and Migration fromESA to SMAConfigure Anti-Spam in policiesOnce Intelligent Multi - Scan has been configured globally , you can now apply IntelligentMulti - Scan to mail policies: Navigate to Mail Policies Incoming Mail PoliciesThe Incoming Mail Policies use IronPort Anti-Spam settings by default.Clicking the blue link under Anti-Spam will allow for that particular policy to use customizedAnti-Spam settings.Below you will see an example that shows the Default Policy using customized Anti-Spamsettings:Customize Anti-Spam settings for an Incoming Mail Policy by clicking the blue link under AntiSpam for the policy you wish to customize.Here you can select the Anti-Spam Scanning option you wish to enable for this policy.
For the purposes of this best practice document, click the radio button next to Use IronPort Intelligent Multi-Scan:The next two sections include Positively-Identified Spam Settings and Suspected SpamSettings: The recommended best practice is to configure Quarantine action on Positively-IdentifiedSpam setting with the prepended text [SPAM] added to the subject and;Apply to Deliver as the action for Suspected Spam Settings with the prepended text[SUSPECTED SPAM] added to the subject:Spam Threshold setting can be changed, and the recommended settings are to customizethe Positively-Identified Spam score to 90 and the Suspected Spam score to 43:Click Submitand Commit your changesAnti-VirusAnti-Virus protection is provided through two third party engines – Sophos and McAfee. Theseengines will filter all known malicious threats, dropping, cleaning or quarantining them asconfigured.Verify feature keys
To check that both feature keys are enabled and active: Go to System Administration Feature KeysMake sure both Sophos Anti-Virus and McAfee licenses are active.Enable Anti-Virus scanning Navigate to Security Services Anti-Virus - SophosClick the Enablebutton.Make sure Automatic Update is Enabled and the Sophos Anti-Virus files update is workingfine. If necessary, click Update Now to initiate the file update immediately:Click Submitand Commit your changes.If McAfee license is active as well, navigate to Security Services Anti-Virus - McAfee Click the Enablebutton.Make sure Automatic Update is Enabled and the McAfee Anti-Virus files update is workingfine. If necessary, click Update Now to initiate the file update immediately.Click Submitand Commit your changesConfigure Anti-Virus in mail policiesOn an Incoming Mail Policy, the following is recommended: Navigate to Mail Policies Incoming Mail PoliciesCustomize Anti-Virus settings for an Incoming Mail Policy by clicking the blue link under AntiVirus for the policy you wish to customize.Here you can select the Anti-Virus Scanning option you wish to enable for this policy.For the purposes of this best practice document, select both McAfee and Sophos Anti-Virus:We do not attempt to repair a file, so the message scanning remains Scan for Viruses only:
The recommended action for both Encrypted and Unscannable Messages is to Deliver AsIs with a modified subject line for their attention.The recommended policy for Antivirus is Drop all Virus-Infected Messages as shown in theimage below:Click Submitand Commit your changesA similar policy is recommended for Outgoing mail policies, however, we do not recommendmodifying the subject line on outbound email. GraymailThe graymail management solution in the Email Security appliance comprises of two components:an integrated graymail scanning engine and a cloud-based Unsubscribe Service. The graymailmanagement solution allows organizations to identify graymail using the integrated graymailengine and apply appropriate policy controls and provide an easy mechanism for end-users tounsubscribe from unwanted messages using Unsubscribe Service.Graymail categories include marketing email, social network email and bulk email. Advancedoptions include adding a custom header, sending to an alternate host and archiving the message.For this best practice, we will enable Graymail’s Safe Unsubscribe feature for the default mailpolicy.
Verify feature key On the ESA, navigate to System Administration Feature KeysLook for Graymail Safe Unsubscription and make sure it is active.Enable Graymail and Safe Unsubscribe services On the ESA, navigate to Security Services IMS and GraymailClick the Edit Graymail Settingsbutton on Graymail Global SettingsSelect all options - Enable Graymail Detection, Enable Safe Unsubscribe and EnableAutomatic Updates:Click Submitand Commit your changesConfigure Graymail and Safe Unsubscribe in policiesOnce Graymail and Safe Unsubscribe has been configured globally , you can now applythese services to mail policies. Navigate to Mail Policies Incoming Mail PoliciesClicking the blue link under Graymail will allow for that particular policy to use customizedGraymail settings.Here you can select the Graymailoptions you wish to enable for this policy.For the purposes of this best practice document, click the radio button next to EnableGraymail Detection for This Policy and Enable Graymail Unsubscribing for This Policy:The next three sections include Action on Marketing Email Settings, Action on Social NetworkEmail Settings and Action on Bulk Email Settings. The recommended best practice is to enable all of them and remain the action as Deliver withprepended text added to the subject in respect to the categories as shown below:
Click Submitand Commit your changesOutgoing Mail Policy should have Graymail remain in Disabled condition. Outbreak FiltersOutbreak Filters combine triggers in the Anti-Spam engine, URL scanning and detectiontechnologies and more to correctly tag items that fall outside the true spam category – forexample, phishing emails and scam emails and handles them appropriately with user notificationsor quarantine.Verify feature key On the ESA, navigate to System Administration Feature KeysLook for Outbreak Filters and make sure it is active.Enable Outbreak Filters service On the ESA, navigate to Security Services Outbreak FiltersClick the Enablebutton on Outbreak Filters OverviewHere you can configure multiple settings. The recommended settings are shown in the imagebelow:Click Submitand Commit your changes.
Configure Outbreak Filters in policiesOnce Outbreak Filters has been configured globally , you can now apply this feature to mailpolicies. Navigate to Mail Policies Incoming Mail PoliciesClicking the blue link under Outbreak Filters will allow for that particular policy to usecustomized Outbreak Filters settings.For the purposes of this best practice document, we keep the Outbreak Filter Settings withdefault values:Outbreak Filters can rewrite URLs if they are deemed malicious, suspect, or phish. SelectEnable message modification to detect and rewrite URL based threats.Make sure the URL Rewriting option is Enable for all messages as following shown:Click Submitand Commit your changesOutgoing Mail Policy should have Outbreak Filters remain in Disabled condition. ConclusionThis document aimed to describe the default, or best practice configurations for Anti-Spam, AntiVirus, Graymail and Outbreak Filters in the Email Security Appliance (ESA). All of these filters areavailable on both the inbound and outbound email policies, and configuration and filtering arerecommended on both – while the bulk of the protection is for inbound, filtering the outbound flowprovides protection against relayed emails or internal malicious attacks.
Anti-Spam, Anti-Virus, Graymail and Outbreak Filters, on both the inbound and outbound email flow. Anti-Spam Anti-Spam protection addresses a full range of known threats including spam, phishing and zombie attacks, as well as hard-to-detect low volume, short-lived email threats such as "419" scams.
