Cisco IronPort Spam Quarantine
Contents
Cisco IronPort Spam Quarantine Notification
Cisco IronPort Spam Quarantine interface
Using End User Safelist and Blocklists
Accessing Safelists and Blocklists
Adding Entries to Safelists and Blocklists
Frequently asked questions
1. I’m not receiving any spam notifications. Why? The system will not send a notification if there are no spam messages received since the previous notification.
2. I still have an old notification email. Can I use this old notification to manage spam messages? Yes. Any notification received can still be used to manage messages, or to navigate to the web interface of the spam quarantine.
3. Do I need to delete messages that are spam? No. Messages that are spam do not need to be deleted. The system will automatically delete older messages, typically those older than 30 days. You will not receive notification of messages that have been listed in a prior notification.
4. Can I review older messages? Yes. You can review any messages held in quarantine that have not yet been automatically delete due to age. Click on the “your email quarantine” or “View All Quarantined Messages” link in the notification.
IronPort Anti-Spam helps prevent potential email threats from reaching the inboxes of Harvey Mudd College email users (faculty, staff, students, and alumni). The system is designed to address a full range of known email threats:
- Spam - Spam is usually considered to be electronic junk mail or junk newsgroup postings. Phishing - Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
- Zombie attacks - Zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction.
- 419 scams - The “419” scam typically involves hard-to-detect low volume, short-lived email threats such as promising the victim a significant share of a large sum of money, which the fraudster requires a small up-front payment to obtain.
In addition, IronPort Anti-Spam identifies new and evolving blended threats, such as spam attacks that distribute malicious content through a download URL or an executable.
Cisco IronPort Spam Quarantine Notification
Figure 1.
Details of the IronPort Spam notification
The IronPort Spam Quarantine notification is an email message sent to you by the quarantine system that lists the spam messages received since your last notification. The notifications are generated and sent at 6 AM every day with the title “Claremont Colleges Quarantine Notification”.
The notification has several parts:
1. A greeting, providing general instructions about the notification.
2. A link to the web interface of the IronPort Spam Quarantine. This link will take you to a web page that displays all of the held messages. (See Figure 2.) This link is the only way you can get to your spam quarantine (i.e. there is no login page).
3. A list of the messages that have been marked as spam by the IronPort system. Each row represents a single message and the Sender, Subject, and Date of the message is displayed.
a. The “Release” link can be clicked to release a message. If you decide that a message is NOT spam, based on the sender and the subject, clicking this link will cause the quarantine to immediately release the message. It will be delivered to your inbox as normal.
b. The Subject of each message is a link that will display the individual message in the spam quarantine web interface. (See Figure 3.)
Cisco IronPort Spam Quarantine interface
Figure 2.
When you click on the “your email quarantine” or “View all quarantine messages” links in the Spam Quarantine notification, you are taken to “Cisco IronPort Spam Quarantine interface” that allows you to view, delete, or release spam messages. As mentioned previously. These links are the only way you can get to your spam quarantine interface (i.e. there is no login page).
The interface has a number of features (Figure 2) to let you manage the messages stored:
1. List of all messages
2. Check box next to each message in the list to select message(s) for action
3. Pull down menu to choose to “Release”, “Release and Add to Safelist”, or “Delete” for the selected messages.
4. A search box that will allow you to search messages by From: or Subject header.
The “Advanced Search” link allows you to search with more criteria including a date range.
5. Navigation tools allow you to jump to other messages and display more per page, if there are more than 25 messages in the quarantine.
Spam details page
Figure 3.
When you click on the Subject of a message in either the Spam Quarantine notification or in the Spam Quarantine web interface, details of the message are displayed. The message display has several parts (Figure 3):
1. Pull down menu to choose to “Release”, “Release and Add to Safelist”, or “Delete” for the selected messages.
2. Sender and recipient details.
3. Actual message content. For security reasons, only a portion of the message body is displayed in plain text. Plain text display prevents the message from using scripts, tracking images, or other malicious content from harming your computer. To display the full contents of the message in its original form you must release the message by selecting ‘Release’ or ‘Release and Add to Safelist’ from pull down menu.
Using End User Safelist and Blocklists
You can create safelists to ensure that messages from specified senders are never treated as spam, and they can use blocklists to ensure that messages from specified senders are always treated as spam. For example, an end user might receive unwanted email from a mailing list. The user can add this sender to their blocklist to prevent email messages from the sender from being delivered. On the other hand, an end user might find that email messages from a legitimate sender are mistakenly being identified as spam and sent to the IronPort Spam Quarantine. To prevent mail from that sender from being quarantined in the future, the user can add the sender to their safelist.
Accessing Safelists and Blocklists
When you click on the “your email quarantine” links in the Spam Quarantine notification, you are taken to a web page that allows you manage your Safelists and Blocklists.
End users can add senders to safelists in two ways. From the IronPort Spam Quarantine location, they can manually add a sender to the safelist by clicking the Options menu in the upper-right corner of the web interface and then selecting Safelist.
Adding Entries to Safelists and Blocklists
Entries can be added to safelists and blocklists using the following formats:
user@domain.com - for an individual email address
server.domain.com - for all email sent from a given subdomain
domain.com - for all email with the given domain name
End users cannot add a sender or domain to both their safelist and their blocklist at the same time. However, if they add a domain to a safelist and a user in that domain to the blocklist (or vice versa), the IronPort appliance applies both rules. For example, if the end user adds example.com to the safelist, and adds george@example.com to the blocklist, the IronPort appliance delivers all mail from example.com without scanning for spam, but it treats mail from george@example.com as spam.
Working with Safelists
Safelist in End User Quarantine
Type an email address or domain in the window at the top of the list, and click Add to List to include your new SafeList address.
End users can also add a sender to the safelist if a message from the sender has been sent to the IronPort Spam Quarantine. If the message from a particular sender is held in the IronPort Spam Quarantine, the end user can select the check box next to the message, then choose “Release and Add to Safelist” from the drop-down menu.
Safelist in End User Quarantine
The Envelope sender. Defined as is where computers should respond (in the case of bounce messages or errors); the From: address is where people should respond. And the From header, which matches the envelope sender (return address) for the specified mail are both added to the safelist, and the released messages proceed directly to the destination queue, skipping any further work queue processing in the email pipeline.
Note — End users can also use the spam notification message to release messages. Click the Not Spam link to release a particular message. End users also have the option to add senders to their safelists.
Working with Blocklists
End users can use blocklists to prevent the delivery of mail from specified senders. To add senders to a blocklist, the end user selects the Options menu in the upper-right corner of the web interface and then selecting Blocklist from the end user quarantine.
Adding Senders to a Blocklist
From the end user quarantine, the end user enters an email address or domain in the field, and clicks Add to List.
When the Email Security appliance receives mail from the specified email address or domain that matches an entry in the blocklist, it treats the mail as spam. The mail might be deleted or quarantined, depending on the blocklist action setting.