It is imperative to start at the Mail Flow PolicyMail Flow Policy - Mail Flow Policies are a way of expressing a group of HAT parameters (access rule, followed by rate limit parameters and custom SMTP codes and responses). level. The Security Features section of the Mail Flow Policy should have the following enabled:
- Spam Detection
- AMP Detection
- Sender Domain Reputation Verification
- Virus Outbreak Filters
- Graymail Detection
- Encryption and Authentication
- DKIM, SPF/SIDF, DMARC verification.
Typically this is done by configuring the policy to use the Default policy setting, which should be "On". It is NOT recommended to have these security features configured as "Off".
You may have other Mail Flow Policies created and configured. Please be sure that you have reviewed any Mail Flow Policies that may be named "Accepted," "Allowed," etc., and to assure their Security Features are enabled as described if they are not "Use Default (On)."
Even if you are NOT taking action based on these security features, the detection capabilities of each service may be used by IronPort Anti-Spam (IPAS) in combination with other detections. Additionally, rules written may take SPF or DMARC into consideration in order to further process and determine if the message is considered positive spam, suspect spam, or clean. These actions have impact on processing the message or determining to block the message.
Next, review the Incoming Mail Policies. Ensure at the policy-level that the features are enabled. These are the services that operate per-policy:
- Advanced Malware Protection
- Content Filters
- Outbreak Filters
- Advanced Phishing Protection
Specifically for Anti-Spam, review ANY policy that is not using the default policy settings. This includes the configured actions for how Positively-Identified Spam and Suspected Spam are handled at the policy level. And finally, the Spam Thresholds. Are you using default values or custom settings for the scoring?
What are the defaults for Spam Thresholds?
- Fresh install, or any appliances that are not running Gold Config + Best Practices, default is "Use the Default Thresholds", which should be the following:
- Positively Identified Spam: 90
- Suspected Spam: 50
What are the Spam Thresholds if running "Gold Config"?
- Cloud Gateway appliances are pre-configured running Cisco Best Practices for most customer allocations. The Spam Thresholds should be the following:
- Positively Identified Spam: 90
- Suspected Spam: 39
If you make updates to your Spam Thresholds and configuration, please remember to submit and commit you changes.
Cisco does not recommend a more customized approach to Spam Thresholds. Talos implements all rules and thresholds based on the default scoring. The recommendation is to use default or not to skew too far from the default values, as this may impact false positive, false negative occurrences.
Wanting to be more Aggressive? We will review that coming up in the Aggressive Profile for Anti-Spam section...
At this time, we have completed the following:
- Services Updates
- Validate Detection Services
- Review of Bypass, Accept, or Allow Lists
- Aggressive Profile for Anti-Spam
- Review and Validate MX Records
- Submissions to Talos
- Support Cases
- Security Review (Optional)
Once you have reviewed and validated the detection services, proceed on to the next section of this document.
Updated 3 months ago