Adding external SPAM quarantine on C370

Similar Messages

• IronPort SMA: External Spam Quarantine SSO Login

  Can external spam quarantine accomodate SSO login, if it's tied with AD? As far as I know- it cannot.

  Found the answer:
  Accessing the Quarantine via the Quarantine URL
  If LDAP Auth is configured, then the users AD username and password get them into the quarantine. There is no SAML SSO integration at this time.
  Accessing the quarantine via the Notifcation Digest
  When the user clinks on the link of a notification email, the URL has an auth token in it which authenticates the user to the quarantine. No popup login required.
  https://sma.quarantine.com:83/Search?h=8d392bb51780c3f7ebe0fa388eb9db2a&email=[email protected]

• ESA - External Auth - Spam Quarantine

  I'm looking to see if anyone has a workaround for admins logging into Spam Quarantine and not being able to set their safelist / block list.  I'm using AD accounts for TACACS+ / Radius on my ACS 5.4 appliance and I found an issue when using Radius for admin access to my ESA.  After enabling Radius, admins who log into the spam quarantine site have access to everyone's spam which is correct, but they no longer have the option field to setup their safelist / block list.
  Thx
  -Kevin

  I also have the same issue.  The only way around it for me was to use different accounts for administrating the IronPort appliances.   This fell into alignment with my organizations practice of setting up seperate Admin accounts for server/workstation administration that is seperate from a server admin's user account. 
  I think the appliance is confused, because when you login with an administrative level account you see the quarantine of all users, so it can't add safelist/blocklist addresses because it doesn't know what mailbox to add these to.
  Be interested to hear what Cisco has to say about it.

• External spam authentication

  I cannot get external SPAM authentication working or SPAM logins. I have a valid LDAP profile configured (tested working), I have added a valid "Spam Quarantine End-User Authentication" with domain assignment working, I have enabled "External Authentication Queries" in the valid LDAP profile with Spam Quarantine End-User Authentication Query enabled, and tested with finding valid results.
  Does anyone know what I am missing, or what I am doing wrong? When I try to login into the SPAM quarantine I get "invalid user" when trying to use any LDAP users.

  I think I found the issue, under "Edit Spam Quarantine" I forgot to enable LDAP as the "End-User Authentication".
  I am now able to login with LDAP users but I will follow-up if there are any further issues.

• Incoming Mail Policy is not working - SPAM quarantine

  I have configured a Mail Policy that has the Antispam disabled. I have done this because of an specific mail user that wants to receive all the emails, including the ones the ESA consider spam.
  I usually works fine but now I have 4 emails in the spam quarantine.  All of them are from the same sender. I have the details and there is this one line that "explains" why the email is send to quarantine:
  "Remote procedure call connection (RCID 13) started for message 65161521 to local Spam Quarantine.".
  Can you please give me some advice in order to know what causes this Remote call procedure connection?
  Thanks!!
  MAIL POLICY "No-spam-check" MATCHED THESE RECIPIENTS: [email protected]
  19 Nov 2014 09:52:21 (GMT +05:00)
  Protocol SMTP interface in.perulng (IP 129.39.179.38) on incoming connection (ICID 59143385) from sender IP 104.200.16.96. Reverse DNS host mta11.avanzaperu.pe verified yes.
  19 Nov 2014 09:52:21 (GMT +05:00)
  (ICID 59143385) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS unable to retrieve
  19 Nov 2014 09:52:24 (GMT +05:00)
  Start message 65161521 on incoming connection (ICID 59143385).
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 enqueued on incoming connection (ICID 59143385) from [email protected].
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 on incoming connection (ICID 59143385) added recipient ([email protected]).
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 contains message ID header '<6C67A08179394CEA891EBF61D105B938@User-PC>'.
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 original subject on injection: Envasado y Empaque de Alimentos y Bebidas
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 (29275 bytes) from [email protected] ready.
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 matched per-recipient policy No-spam-check for inbound mail policies.
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 scanned by Anti-Spam engine: SLBL. Interim verdict: Positive
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 scanned by Anti-Spam engine: SLBL. Final verdict: Positive
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 scanned by Anti-Virus engine. Final verdict: Negative
  19 Nov 2014 09:52:25 (GMT +05:00)
  Message 65161521 scanned by Outbreak Filters. Verdict: Negative
  19 Nov 2014 09:52:25 (GMT +05:00)
  Message 65161521 queued for delivery.
  19 Nov 2014 09:52:27 (GMT +05:00)
  Remote procedure call connection (RCID 13) started for message 65161521 to local Spam Quarantine.
  19 Nov 2014 09:52:28 (GMT +05:00)
  Message 65161521 quarantined in Spam Quarantine.

  That message got spam checked, was declared spam, so the RPC call happens to put it in the Quarantine.
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 scanned by Anti-Spam engine: SLBL. Interim verdict: Positive
  19 Nov 2014 09:52:24 (GMT +05:00)
  Message 65161521 scanned by Anti-Spam engine: SLBL. Final verdict: Positive
  If you want to deliver this, either don't scan it by setting the Anti-Spam scanning to disabled, or set the action to Deliver, and maybe add something to the subject?

• SPAM Quarantine and Local Quarantine

  Hi All,
  In my C670 I have enabled Enable Anti-Spam Scanning.
  For positively - Identified Spam Setting: I have choosen Action as SPAM QUARANTINE
  FOr Suspected SPAM Scanning: Spam Quarantine
  Now even though the above is done, I could see the email still goes to the Content Filter checks where in I have enabled the Local Quarantine.
  Does the emails are getting stored at both SPAM and LOCAL quarantine. This is done because I could see that Ceratin text has been added by the Iron port in the subject line while it identifies the spam and suspected spam and in the content filter we have a filetr monitoring the subject line.
  My question is why does an email which has been span quarantine still have to go for content filter check, unless an administrator defines so.
  Thanks

  please help. is it possible that if an email is already quarantined by spam engine then it wont go for filter check

• Finally using SPAM quarantine and want to know how many e-mails are being released

  We have two C660s and one M660 and we are finally using the SPAM quarantine functionality on the M660 and so far it has been awesome.   For my pilot group I have the spam thresholds set as low as recommended by the GUI at 50 (positive) and 25 (suspected)...   First off, if I change these numbers will I see noticiable differences in what is allowed through and what isn't?
  My real question is, is there an easy way to see what mail is being released by users from the SPAM quarantine?  Originally I had a content filter setup that was working..   but now it appears that when users are releasing e-mails from the quarantine it is skipping any type of content filtering..  From what I can tell, e-mails are still being routed from the M660 to one of the two C660s for delivery..  but in the mail logs I see information like:
  Wed Aug 15 09:34:32 2012 Info: ISQ: Delivering MID 1592784 to ISQ (skipping work queue)
  And in Message Tracking I see:
  15 Aug 2012 09:32:23 (GMT -05:00)
  Message 116381462 was released from Spam Quarantine, IP address 10.25.211.100.
  15 Aug 2012 09:32:23 (GMT -05:00)
  Message 116381462 released from Spam Quarantine. Work queue skipped.
  15 Aug 2012 09:32:23 (GMT -05:00)
  Message 116381462 queued for delivery.
  15 Aug 2012 09:32:23 (GMT -05:00)
  (DCID 40556495) Delivery started for message 116381462 to
  My outgoing content filter is setup like:
  Conditions
  Apply rule: If one or more conditions match Only if all conditions match
  Order
  Condition
  Rule
  Delete
  1
  Remote IP/Hostname
  remote-ip == XXXXXXXX
  2
  Envelope Sender
  mail-from !=XXXXXXXXXX
  Actions
  Order
  Action
  Rule
  Delete
  1
  Add Log Entry
  log-entry("ReleasedFromSpamQuarantine")
  XXXXXXX = the IP address of our M660..  
  XXXXXXXX = the e-mail address used by our M660 to send out reports/alerts etc..
  Appreciate any input/feedback...
  Jason

  Hello Jason,
  one thing about the trhesholds, the defaults are 50/90 for suspected and positive spam, and that usually works for most customers, in some cases if still spam gets trough we suggest to modify that to 40/80, but you should not get any lower, as this will just increase the number of false positives. In general, the antispam engine delivers a value way above or below the thresholds, means scores are always either below 10 (no spam) or above 90 (spam), very few are inbetween this range, so usually the default setting works.
  About the information of which user released a message, there is unfortunately no direct way to get this done. You might try this approach:
  1. mail_logs: Look for the MID of the message when its getting injected to the SMA, note that this is not the same MID as in message tracking.
  2. mail_logs: Look for the message getting released, and note the time stamp:
  6 Aug 2012 13:29:21 (GMT) Start Message 10054459 ICID 0 release from Spam Quarantine
  3. Do a
  CLI: grep timestamp euqgui_logs
  with the timestamp you retreived  from the mail logs (just use the Day, hour, and minute part), this should get you the log lines for the particular minute, check them for the name of the user who was accessing the GUI at that time.
  Hope that helps,
  Andreas

• Adding external photo galleries, calendars, etc. in Catalyst

  Is there a way of adding external photo albums, calendars (ie. yahoo, google) into a website made in Flash Catalyst?

  The short answer is no. If these modules need to be within the design of the Flash Catalyst project, you can add them using Flash Builder to add them in. This method will require some effort and knowledge of ActionScript and the Flex Framework.  If these modules need to next to the Flash Catalyst project, then you could modify the produced HTML file that contains the Flash Catalyst element and insert the modules.
  Either way, you will have a modest amount of development to add these elements to your project.
  Good luck,
  Chris

• Adding external jars

  Hi,
  I have a jar file in the ext folder of BPEL. When i use the class in java embedding activity it says class not found error how do i solve it. Or please tell me the procedure of adding external jars
  Edited by: user10545499 on Nov 5, 2008 9:40 PM

  To make external Jar files available in your BPEL PM, you could put the files in:
  [ORACLE_HOME]\bpel\system\classes
  Restart the server, you they are read when BPEL PM is started. If you want them available in the whole J2EE environement, you sould place them in the j2ee enviornment.
  Marc

• End User SPAM Quarantine checkbox to select all messages not working

  We are running SPAM Quarantine on M670 running 8.1.0-476 and accessing with Internet Explorer 9.0.   After logging into the SPAM Quarantine there is a top row check box that normally we can check to select all messages.  This stopped working in IE for us, any idea what setting/option we could adjust to enable it again?
  In Chrome 29, FireFox 23 it works as expected.
  Jason

  I think this is a know bug in 8.0, see below:
  CSCuj42166
  Selecting all messages in ISQ at once not possible with IE 8.0/7.0/6.0
  Symptom:
  When accessing the spam quarantine on ESA using IE 8.0/7.0/6.0 and trying to select all messages at once, an error occurs and no message is checked. At the bottom of the browser we see an "Error on page"
  Conditions:
  ESA running 8.0.0-671 and Internet Explorer 8.0 (same valid for 6.0 and 7.0)
  Workaround:
  Using a different browser to access the Centralized Spam Quarantine like for example Safari, Mozilla Firefox, Google Chrome, Internet Explorer 9
  Further Problem Description:
  Details
  Known Affected Releases: (2)
  8.0.0(Venetian)-671 | 8.5.0(FourQueens)-0
  Known Fixed Releases: 0
  Release Pending
  Product: Cisco Email Security Appliance

• Proxy user getting to the SPAM Quarantine

  I have finally setup the spam quarantine after a year of use. My problem is I have several resources that get email and a several users that monitor those resources. How do I allow them to see the quarantined email of another account?
  Thanks

  If you are sending out spam notifications this is already working. The original recipient(s) will simply get a notification which contains a link to the spam quarantine. This link contains an authentication token so that they do not need to enter a username or password to view the mail in the quarantine.

• Adding External Jars in Module development

  Dear Friends,
                          Actually i am adding an external Jar file in my EJB Module in NWDS.I am using this jar file for converting XML to flat file and i am calling this module from Receiver ommunication channel.For this process, i am importing dom4j.jar file in the EJB Module.I have created a jar file for that module,
                        Now i have created an external Library project for the cause that i have used the external jar file, and i have made following code in the provider.xml file
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE provider-descriptor SYSTEM "library.provider.dtd">
  <provider-descriptor>
       <display-name>
        XML2EDI_Library
      </display-name>
       <component-name>
        XML2EDI_Library
      </component-name>
       <major-version>6</major-version>
       <minor-version>40</minor-version>
       <micro-version>0</micro-version>
       <provider-name>
        dom4j.org
      </provider-name>
       <references>
            <reference
                 provider-name="dom4j.org"
                 strength="weak"
                 type="library">org.dom4j.Document</reference>
            <reference
                 provider-name="dom4j.org"
                 strength="weak"
                 type="library">org.dom4j.DocumentException</reference>
            <reference
                 provider-name="dom4j.org"
                 strength="weak"
                 type="library">org.dom4j.Element</reference>
            <reference
                 provider-name="dom4j.org"
                 strength="weak"
                 type="library">org.dom4j.io.SAXReader</reference>
       </references>
       <jars>
            <jar-name>EDI_Module.jar</jar-name>
       </jars>
  </provider-descriptor>
  I have included 4 references because i have imported following in my ejb module.
  import org.dom4j.Document;
  import org.dom4j.DocumentException;
  import org.dom4j.Element;
  import org.dom4j.io.SAXReader;
  I am not sure of wht to include in reference target and provider name, I am getting the following exceptions in Message monitoring:
  1. AO: Document Exception: org.dom4j.DocumentException: E:\usr\sap\BWS\DVEBMGS00\j2ee\cluster\server0\
  2. Nested exception: E:\usr\sap\BWS\DVEBMGS00\j2ee\cluster\server0\
  Help me in this issue..
  Thanks in advance
  N.Jayanth Kumar

  Dear Stefan,
                      I will explain my problem here..in brief
  1. I have created an EJB Module and adding an external jar dom4j.jar
  2. I have the my jndi name as XmltoText
  3. In my application-j2ee-engine.xml in my EAR file...i have included :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE application-j2ee-engine SYSTEM "application-j2ee-engine.dtd">
  <application-j2ee-engine>
  <reference
       reference-type="weak">
       <reference-target
         provider-name="dom4j.org"
         target-type="application">TEST_LIBRARY
        </reference- target>
  </reference>     
  <fail-over-enable mode="disable"/>
  </application-j2ee-engine>
             TEXT_LIBRARY is name of my Library Project.Please tell me corrections in the above code...i have doubt regarding provider name.
  4. As i have added external jar file in my ejb module..._i have created a Library project and in that project in provider.xml_ file i have included the following code...
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE provider-descriptor SYSTEM "library.provider.dtd">
  <provider-descriptor>
       <display-name>TEXT_LIBRARY</display-name>
       <component-name>TEXT_LIBRARY</component-name>
       <major-version>6</major-version>
       <minor-version>40</minor-version>
       <micro-version>0</micro-version>
       <provider-name>****</provider-name>
  <references>
  <reference
       provider-name="****"
       strength="weak"
       type="library">****</reference>
  </references>
  <jars>
           <jar-name>EJBModule.jar</jar-name> (This is my EJB Module jar file)
  </jars>
  </provider-descriptor>
  Now what should i include in the places of **** in the references above??
  Thanks and Regards,
  N.Jayanth Kumar

• Can I extend time capsule by adding external drive connected TC via USB?

  Hi,
  I use my TC drive for backups, i's now full. Can I extend time capsule backup drive by adding external drive connected TC via USB? If yes, how do I his? I have 1TB WD external drive connected via the TC's USB, I can see the WD drive in the finder and the TC set-up...but I don't know where to go from here...
  Thanks for your help
  Steveru

  Welcome to the discussions, Steveru!
  I think what you are asking is can you simply continue Time Machine backups by adding the new USB drive, correct? The answer is not exactly. See below for details.
  To use the new USB drive for Time Machine backups, you'll need to Open System Preferences (gear icon) on the dock and open Time Machine. Click on Select Disk and click your USB drive to highlight it, then click Use for Backup. Here's the rub....Time Machine will make a new full complete backup of everything on your Mac's hard drive. There's no way to avoid this. After that, it will continue to make scheduled incremental backups just like it did before on the Time Capsule.
  If you ever need to go back to your original backups on the Time Capsule, you'll need to right-click the Time Capsule icon on the dock and choose Browse Other Time Machine Disks.
  When the USB drive start to fill, you may decide that you no longer need all the old backups on the Time Capsule disk since you should have a good history of backups on the USB drive at that point.
  So, you could erase the Time Capsule disk and then start backing up to the Time Capsule disk again. At that time, it will also make a complete backup on the first pass and then normal incremental backups from that point forward. When the TC begins to fill again, then you could erase the older backups on the USB drive and start backups again on that drive. Then switch to the other drive in the future to keep things going indefinitely. If you go with this type of flip flop plan, you should always have a solid history of many months of backups at any given time.
  Will a plan like this work? I don't answer a question on the forum unless I've done it myself. This has been working well for me for almost 3 years.
  Pondini, the resident expert on Time Machine and Time Capsule affairs, may have some comments on this as well. If you haven't already seen his excellent guide, Using Time Machine with a Time Capsule or +Time Machine FAQ+, these are the best available sources of information on this subject on the Internet.
  Or, if you don't want to erase any your backups, you could of course keep adding a new USB drive when the current drive is about to fill.

• Manually released mail moving from Policy Quarantine to SPAM Quarantine

  We have configured content filter to quarantine mails which are categorized as a 'Suspected Spam'
  hence all mails quarantined by suspected spam content filter are getting quarantined under 'Policy quarantine'
  I have observed that whenever we release mail from Suspected spam content filter, it is moving from Policy quarantine to Spam quarantine instead of getting delivered to the end user. (behavior is only for suspected spam mails. rest of the filters are working fine)
  has anyone experienced such kind of behavior ?? please suggest

  Hi Don,
  Indeed there are two ways to send to ISQ.
  a)  alt-mailhost('the.euq.queue')
  b)  Insert-Header ('X-Ironport-Quarantine: somevalue')
  But both will send the mail to quarantine and stop, even if I have an action such as duplicate-quarantine. No mail is sent to recipient.
  It may sound weird to most because why would we need to ISQ an email but at the same time want to mail be delivered.
  My goal is to just copy it, and send it to ISQ, while let the mail be delivered.
  At this moment, I can't get both done at the same message/content filter.
  MonitorUserADGroupFilter: if mail-from-group == "CN=somegroup, OU=XX, DC=company, dc=com" {
                                 deliver();
                                 alt-mailhost ("the.euq.queue");
  deliver() is now called "skip-filters()", btw.
  The above wont work because once delivered, the message is no long exist and quarantine to 'the.euq.queue' do no effect.
  If I put alt-mailhost higher than deliver, then the message does not deliver.
  Also replaced with "duplicate-quarantine" to deliver(). Same behavior.
  What's the best way to "deliver and copy to ISQ"?
  Regards,
  Chris

• Ironport C170 Unable to view the Spam Quarantine messages

  I'm new to the Ironport appliance. When I click on Monitor-->Spam Quarantine, then click on Messages a new window appears and I should see all of the emails that were marked "spam". For some reason when the second window opens, I receive a blank page. Everything works fine on my other C170 appliance.

  Hi Billy, if you move mouse cursor over the number of spam messages on page Monitor>Spam quarantine, what URL address you see?
  Something like https://www.domain.com:83/Search?auth=13900f1d2a029b017464c596a88bb7a8?
  Can you resove "www.domain.com" to correct IP address of your ESA server?
  Are Spam Quarantine>Spam Quarantine HTTP & Spam Quarantine HTTPS enabled at Network>IP Interfaces>Interface page? Do interface's IP address & spam quarantine ports match to URL address (does www.domain.com resolve to this IP address) at Monitor>Spam quarantine?
  Is there any firewall blocking this connection?