This document describes the Cisco Email Submission and Tracking Portal (ESTP), usage of the portal, and general how-to instructions for administration and viewing submissions via the portal.
What Is the Use of the Cisco Email Submission and Tracking Portal?
Cisco Email Security Appliance (ESA) has remained the best in catching spam, ham, marketing, and graymail messages with > 99 percent catch rate and 0.001 percent false positives. (Refer to Opus One report for more details). However, to keep the bar high and to improve the overall efficacy, Cisco encourages customers to submit messages that are incorrectly classified. For detailed instructions, see How to submit email messages to Cisco.
Each customer submission forms a critical piece of Cisco’s Threat Intelligence system. Hence it is important to have submissions with complete information and in the right format (RFC 822). In some cases, submissions lose critical headers and other essential information due to the way they have been submitted. Submissions that are improperly provided to Cisco may cause delay in troubleshooting, adjusting catch rates, and increasing a customer's frustration with the overall submission process.
The Cisco Email Submission and Tracking Portal is a way for customers to track submissions from their organization and at the same time know status of each submission. Once a submission has been provided to Cisco, the information from the ESTP may be used for further interact with Cisco Support or other associated teams with-in Cisco.
Who Will Use the Cisco Email Submission and Tracking Portal?
Any end-user who has a Cisco Connection On-line (CCO) user id is able to access and utilize the ESTP.
Using the portal is defined to one of two kinds of users:
Administrator of an Organization: An Email Gateway administrator who is interested to know the status of all of the submissions made by the users of their organization or registered domain(s). There could be more than one administrator for any organization, and an administrator could be managing multiple domains within an organization.
Viewers of Submissions: Any individual user who is authorized by an administrator to view their organization's submissions. A viewer can view submissions for multiple organizations. A viewer will typically use the information on the portal to investigate submissions. For example, if a customer wants Cisco to check a submission on priority they do not have to resubmit the same messages to Cisco. Instead, a customer may provide their submission ID from the ESTP with Cisco TAC via a support request, and Cisco TAC can then look into the submission ID for further details.
How to Get Started with the ESTP as an Administrator
An email administrator managing a group of domains can get started with the portal by one of two ways: (1) register a new registration ID, or (2) register as an administrator
A Registration ID is a unique identifier to identify a group of appliances in a domain.
The Registration ID must be at least sixteen (16) characters, but no more than forty-eight (48) characters and must contain only alphanumeric characters, hyphen (-), and underscore (_).
If you are using Cisco Email Security Gateway with AsyncOS 10.0 or later:
The Registration ID you plan to use here must be same as what you entered while configuring the Email Submission and Tracking Portal Registration page on your appliance(s).
If you have not configured the Registration ID on the Email Submission and Tracking Portal Registration page of your appliance(s), you will not be able to view your email submissions on the portal.
If you are using Cisco Email Security Gateway with releases prior to AsyncOS 10.0, continue the registration using a random Registration ID and register your domain to be able to view your email submissions on the portal.
Register your domain(s) with the portal to ensure that you can track all your submissions on the portal. Click Configuration > Domains to register your domain(s).
Click Register a new registration ID
Enter in a registration ID as described above.
If you are using Cisco Email Security Gateway with AsyncOS 10.0 or later, please note down the Registration ID that you entered here and make sure that it is same as what you entered while configuring the Email Submission and Tracking Portal Registration page on your appliance(s).
Click Register to acknowledge the Registration ID pop-up
Finally, click Got it to finish the registration. You will be re-prompted to log into your CCO ID to authenticate through to the Email Submission and Tracking Portal.
At this point, you will now have a Registration ID and also automatically be an administrator for the account. You will not need to "Register as An Administrator" or complete the "How to Get Started with the ESTP as a Viewer" section. However, after the Registration ID is active, an administrator must register a domain(s) with the portal to ensure submission tracking for all domain submissions via the ESTP. Please see the "Adding and Managing Domains as an Administrator" section.
Note: To change a Registration ID, you must delete your account and register again using a new/correct Registration ID.
Register as an Administrator
An administrator can:
Submit missed spams directly via the ESTP. (Only .eml format type is currently supported.)
View the dashboard for all submissions and track the submission status in a single pane
View table listing each submission, their status, and filter them based on time stamp, submission ID, submitter and other parameters
Manage domains associated with the Registration ID/Organization
Manage administrators and their permissions
Manage viewers and their permissions
Delete their own account
Note: Please open a support request to have past-administrators, past-viewer accounts expunged, as needed.
If the Registration ID already exists, you may choose to use the portal as an administrator by sending an email to an already approved admin e-mail address for your domain.
Click Register as an administrator
Enter the Approver Admin email address in the field
The administrator will receive an email notification from the Email Submission and Tracking Portal for "New Admin Registration Request Received". The administrator will have to log-in to the ESTP using their credentials to authorize the administrator permissions by going to Configuration > Admin registration requests and clicking ALLOW or DENY. Once the request is allowed or denied, the viewer that requested permission will receive an email confirmation.
Adding and Managing Domains as an Administrator
In order for an administrator to see and manage the submissions from their domain users, or a viewer to see submissions on the Submissions pane, an administrator will need to add the domain via the ESTP configuration panel.
Note: This step assumes that the domain is RFC 5321 complaint and only trusted people have access to postmaster@domain mailbox.
If the postmaster@your_domain.com does not exist for some reason, either ensure it is made available and then add the domain. Or, from the ESA using the CLI command aliasconfig, configure the ESA to route emails to postmaster@your_domain.com to a valid, alternate email address.
As an administrator, log-in to the ESTP
Go to Configuration > Domains
Click Add new domain
Enter the domain in the field
An email for "New Domain Registration Confirmation" is sent to the postmaster@your_domain.com email address. From the postmaster@your_domain.com mailbox, view and click on the confirmation link received in the email from the ESTP.
After the domain(s) has been successfully added to the associated Registration ID/Organization, submissions (by any domain user) submitted AFTER this time period can be viewed on the Submissions pane. Submissions that were sent in prior to the domain being added to the Registration ID/Organization will not be back-filled.
How to Get Started with the ESTP as a Viewer
A viewer can:
View the dashboard for all submissions and track the submission status in a single pane
Delete their own account
Register as a Viewer
A viewer can register by following these two-part instructions:
Click Register. You will be re-prompted to log into your CCO ID to authenticate through to the Email Submission and Tracking Portal.
Once you have re-authenticated and re-logged into the ESTP, you are presented the notice "To view the email submissions from an organization, you must send a request to the administrator of that organization. Go to Configuration > Send Request to send a request."
Click on Configuration > Send Request in the notice, or navigate via the configuration panel.
Enter one of the following:
Email address of the organization's administrator as entered on the portal.
Submission ID (at least one submissions ID that Viewer is trying to look for additional details)
Once entered, an authorization request is sent to the corresponding administrator's email address. An administrator will receive an email for "New View Permissions Request Received". The administrator will have to log-in to the ESTP using their credentials to authorize the viewer permissions by going to Configuration > Viewer permission requests and clicking ALLOW or DENY. Once the request is allowed or denied, the viewer that requested permission will receive an email confirmation.
A viewer can choose to leave an organization at any time by navigating to Configuration > My organizations and clicking on LEAVE in the actions column. Likewise, an administrator can suspend a view account from the configuration panel by navigating to Configuration > Viewer management and clicking SUSPEND. A viewer will need to revisit the same authorization steps above in order to regain viewing of that organization.
How Can a Viewer Become an Administrator or Vice Versa?
If you have registered as a viewer and want to become an administrator (or vice versa), do the following:
From the top right corner, click on Your Username > Delete my account
Depending on your requirement, perform the steps mentioned in one of the following topics: “How to Get Started with the Portal as an Administrator” or “How to Get Started with the Portal as a Viewer”
Each submission is automatically processed and evaluated upon entering the Cisco Intelligence System. Based on the analysis, the system will set one of the following statuses for a submission:
Submissions that are done in the right format, containing all original Internet headers, headers inserted by the email gateway, full message body will be considered actionable.
Submission samples determined to be actionable are combined together with actionable samples from other customers, real time data from global sensors, human intelligence, device telemetry and external/partner data feeds.
All of this feeds into multiple automated and Machine Learning systems and technologies that are analyzing this data 24x7 to create new probabilities and weighting for tens to hundreds of thousands of email features used in IronPort Anti-Spam (IPAS) detection content that is then consumed by email security devices.
Actionable but incomplete
Submissions that are done as attachments in the right format, containing full message body, etc. but missing critical headers such as diagnostic X-headers added by the ESA. This could happen because of the client (e.g. outlook) used to make the submission.
NOTE: Different Outlook versions have known to remove headers from time-to-time.
Missing critical headers may hamper analysis and limit the impact of the submission. However, these submissions are still fed into the intelligence system and processed as described in “Actionable" to the degree possible.
If one or more criteria listed in (but not limited to) "Message Attributes and reasons for Un-actionable status" table below are met, the submission is marked Un-Actionable.