This document describes how to report Content Security Anti-Spam false positive messages or missed spam messages to Cisco for examination.
Cisco recommends that you have knowledge of AsyncOS.
The information in this document is based on all versions of AsyncOS.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
How do you report Content Security Anti-Spam false positives or missed spam?
Here are two methods that you can use in order to submit a missed spam message or a message that is incorrectly marked as not-spam to Cisco for examination:
If you use any email program other than Microsoft Outlook, then follow the program instructions in order to attach the email as an RFC-822 Multipurpose Internet Mail Extension (MIME)-encoded attachment. Refer to the Create RFC-822 MIME Encoded Attachments on the ESA for more information.
Note: All of the submitted messages must be in the RFC 822 format. Any other formats, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), are currently not compatible with the submission tool. Also, unless submitted through a plug-in (Microsoft Outlook, not Microsoft Outlook Express), the messages that are forwarded must be RFC-822-compliant attachments. Forwards of previously-forwarded messages cannot be processed at this time.
You can send the messages to one of these destinations for examination:
Once the submissions are received, the messages are passed through an automated classification system that makes use of the latest rule-set. If these messages are tagged by the new rule-set as spam, they are classified as such. However, due to a delay in the reception of samples and rule generation, there are usually rules published for many of the missed-spam messages between the time that they are received by the email client and the time that they are reported to Cisco.
Some messages are a part of the new spam trends, with new variants that are sufficiently different, or the new spam strains that are not classified by automated systems. Any messages that are held for classification due to mitigation factors are held for human review. Cisco attempts to address the messages within two to three hours after they are ingested into the corpus.
Note: Although every report that is sent as an RFC-822 attachment to the previously-mentioned addresses is reviewed, most of the submissions do not receive a physical reply from Cisco.