This document describes submitting email messages to Cisco for examination.
What email types may be submitted to Cisco?
Any email that is classified incorrectly. These consist of false negative (missed spam), false positive (mail marked as spam, but is actually ham), missed marketing messages, false-positive marketing messages and phish-suspected messages.
Irrelevant or inappropriate email message(s) to a recipient.
An email message that is not Spam. Or, "non-spam", "good mail".
Directly marketing a commercial email message.
An attempt to acquire sensitive information such as usernames, passwords, credit card details, and/or money, often for malicious reasons, by masquerading as a trustworthy entity in an email message.
How to submit email messages to Cisco
Supported submission methods when reporting email messages:
Direct email submission. Please follow the instructions below in order to attach the email as an RFC-822 Multipurpose Internet Mail Extension (MIME)-encoded attachment and submit to the email address that is appropriate. Refer to the Create RFC-822 MIME Encoded Attachments on the ESA for more information.
Note: All of the submitted messages must be in the RFC 822 format. Any other formats, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), are currently not compatible with the submission tool. Also, unless submitted through the Cisco Email Security Plug-In, the messages that are forwarded must be RFC-822 compliant attachments. Forwards of previously-forwarded messages cannot be processed.
You can send the messages to one of these destinations for examination:
Once the submission is received, the messages are passed through an automated classification system that makes use of the latest rule-set. If these messages are tagged by the new rule-set as spam, they are classified as such. However, due to a delay in the reception of submissions and rule generation, there are usually rules published for many of the email messages between the time that they are received by the end-user email client and the time that they are submitted to Cisco.
Some messages are a part of the new spam trends, with new variants that are sufficiently different, or the new spam strains that are not classified by automated systems. Any messages that are held for classification due to mitigation factors are held for human review. Cisco attempts to address the messages within two to three hours after they are ingested into the corpus.
Note: Although every submission sample of email that are sent as an RFC-822 attachment to the provided submission addresses are reviewed, submissions do not receive a reply from Cisco.
Spam Submission Status
Submission samples determined to be actionable are combined together with actionable samples from other customers, real time data from global sensors, human intelligence, device telemetry and external/partner data feeds. All of this feeds into multiple automated and Machine Learning systems and technologies that are analyzing this data 24x7 to create new probabilities and weighting for tens to hundreds of thousands of email features used in Ironport Anti-spam (IPAS) detection content that is then consumed by email security devices.
Submission samples are automatically processed and evaluated upon entering our systems. Any failing one or more criteria listed in (but not limited to) the table will be marked Un-Actionable. Note: Submission samples may later change from Actionable to Un-Actionable, or vice versa as further processing and/or human review occurs.
Message submitted as an RFC-822 MIME encoded attachment with valid Internet headers and body content.
Message not submitted as an RFC-822 MIME encoded attachment.
Example: Message submission is inline-forwarded
All original Internet headers are present and properly formatted.
One or more original internet headers are missing or malformed.
Original ESA scan date of message is current enough to be used in IPAS training.
Original ESA scan date of message is too old/out of date to be utilized in IPAS training.
Original body content is present, properly formatted, devoid of any markup or modification and non-NULL.
∙ Is a bounce notification, auto-reply or challenge response. ∙ Message contains malformed or NULL body content.