Cisco Email Security Appliance

ESA FAQ: How do you report Content Security Anti-Spam false positives or missed spam?

Document ID: 117822

Updated: Jun 23, 2014

Contributed by Chris Haag and Robert Sherwin, Cisco TAC Engineers.



This document describes how to report Content Security Anti-Spam false positive messages or missed spam messages to Cisco for examination.



Cisco recommends that you have knowledge of AsyncOS.

Components Used

The information in this document is based on all versions of AsyncOS.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

How do you report Content Security Anti-Spam false positives or missed spam?

Here are two methods that you can use in order to submit a missed spam message or a message that is incorrectly marked as not-spam to Cisco for examination:

Note: All of the submitted messages must be in the RFC 822 format. Any other formats, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), are currently not compatible with the submission tool. Also, unless submitted through a plug-in (Microsoft Outlook, not Microsoft Outlook Express), the messages that are forwarded must be RFC-822-compliant attachments. Forwards of previously-forwarded messages cannot be processed at this time.

You can send the messages to one of these destinations for examination:

Each message is reviewed by a team of human analysts and is used in order to enhance the accuracy and effectiveness of the product.

Once the submissions are received, the messages are passed through an automated classification system that makes use of the latest rule-set. If these messages are tagged by the new rule-set as spam, they are classified as such. However, due to a delay in the reception of samples and rule generation, there are usually rules published for many of the missed-spam messages between the time that they are received by the email client and the time that they are reported to Cisco.

Some messages are a part of the new spam trends, with new variants that are sufficiently different, or the new spam strains that are not classified by automated systems. Any messages that are held for classification due to mitigation factors are held for human review. Cisco attempts to address the messages within two to three hours after they are ingested into the corpus.

Note: Although every report that is sent as an RFC-822 attachment to the previously-mentioned addresses is reviewed, most of the submissions do not receive a physical reply from Cisco.

Updated: Jun 23, 2014
Document ID: 117822