Is there anyway we can see the rules/reasoning as to why the UTM marked an email as spam. It would be very useful to understand and collated against false postives etc.
Hey, Coder, what'er ya doin' speakin' Cisco here!?! [[[:D]]] Tell your office they should dump that old Ironport and get a UTM! [[[:D]]][[[:D]]]
Max, I assume you mean that you have a "Warn" selection in the 'Spam Filter' section of SMTP so that some emails come to you flagged as SPAM instead of being quarantined or rejected.
For every email that gets past the SMTP-time checks (RBLs, rDNS, Greylisting, BATV & SPF), the Proxy accepts the body and attachments of the email, and then uses ctasd to calculate a "signature" which it sends to a cloud service. When the service replies with "Unknown" or "Suspect," the email is delivered. The other possibilities are "Bulk" (SPAM) an "Confirmed." Here's an example from our SMTP log file of a line showing the signature and the report:
Hey, Coder, what'er ya doin' speakin' Cisco here!?! [[[:D]]] Tell your office they should dump that old Ironport and get a UTM! [[[:D]]][[[:D]]]
Max, I assume you mean that you have a "Warn" selection in the 'Spam Filter' section of SMTP so that some emails come to you flagged as SPAM instead of being quarantined or rejected.
For every email that gets past the SMTP-time checks (RBLs, rDNS, Greylisting, BATV & SPF), the Proxy accepts the body and attachments of the email, and then uses ctasd to calculate a "signature" which it sends to a cloud service. When the service replies with "Unknown" or "Suspect," the email is delivered. The other possibilities are "Bulk" (SPAM) an "Confirmed." Here's an example from our SMTP log file of a line showing the signature and the report:
