Cisco Email Perimeter FAQ

The Cisco Email Perimeter is the mechanism DoIT uses to route and scan all email messages entering the State Enterprise email system. It is used to provide delivery of email correspondence from / to external sources; as well as, protect the security of the mail system for all our customers. The perimeter solution reviews all email for potential security threats such as Phishing, Spam, viruses, Denial of Service attacks. As it finds these threats it takes action according to the type and severity of the threat. For those with a lower threat it will place the message into the Quarantine Manager, which is fully explained below. Cisco Email Perimeter also allows users to send secure messages using its integrated CRES (Cisco Registered Envelope Service); more information on this is found at this Secure Web Delivery FAQ Link.

Cisco Email Perimeter uses an email quarantine manager to provide a central point for users to analyze and act upon emails that have been identified as potential Spam. This gives the user the ability to Release/Delete messages and Whitelist/Blacklist senders or sending domains. With Cisco Quarantine Manager, the user will be able to act upon the messages within the Spam Digest email or access a user Interface to perform these functions. User created blacklist/whitelists from our old system will not be brought over to the new email perimeter. Cisco uses a different reputation dictionary, so these may need to be set up again when the user receives their first quarantine notification. Instructions on how to set these blacklists/whitelists are explained in more detail below.

To access Cisco Quarantine Manager and perform actions such as whitelisting & blacklisting specific senders or to see all the messages in your personal quarantine queue, click on the link contained in the spam email digest that is sent to you when you have a quarantined email. You can save this link to your favorites for future access.

**The links in the spam digest are unique to each user and should not be shared with any other person**

The message(s) will be automatically purged from the system in 17 days if you take no action on the items.

To whitelist senders, you will need to access your personal quarantine account using the link contained in the spam digest. Once you are in the quarantine interface, you can check the message you want to perform an action on. In some cases, you may want to release the message or release and add the sender to your safelist for future messages. You can also choose to delete the message.

Another way to whitelist an email address or domain is to select Options in the right corner and click Safelist.

Then add the address or domain in the window that appears.

To blacklist senders, you can click on Options in the upper right corner and select "Blocklist".

You can then enter the email address or domain and click Add to list.

To remove a user in your block list

At approximately 8:00am, 12:00pm and 3:00pm each day, if there are any new items in your Cisco Quarantine Manager, you will receive a Spam Digest Report. The email will have a summary of the email(s) that have been quarantined since your last Spam Digest Report.

Secure message delivery is a service that guarantees secure delivery of email by either delivering Transport Layer Security (TLS) or by storing the email within the Cisco Registered Envelope Services (CRES) and providing a secure link to the recipient to retrieve the email. For information about Secure Message Delivery you can click on the following link. Link to Secure Message Delivery FAQ.

Cisco Outbreak Filters protects our network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they occur. Cisco gathers data on outbreaks as they spread and sends updated information to our Email Security appliance in real-time to prevent these messages from reaching our users. Cisco uses global traffic patterns to develop rules that determine if an incoming message is safe or part of an outbreak.

Messages that may be part of an outbreak are quarantined until they’re determined to be safe based on updated outbreak information from Cisco. Outbreak Filters analyze a message’s content and searches for URL links to detect this type of non-viral attack. Outbreak Filters can rewrite URLs to redirect traffic from potentially harmful websites through a web security proxy, which either warns users that the website they are attempting to access may be malicious or blocks the website completely. Messages which are identified using the Cisco Outbreak Filter and are determined to be clean are marked with “Suspicious Message” in the subject line when delivered to the user. Users should be aware of this and proceed with caution when opening these messages.

Graymail messages are messages that do not fit the definition of spam. Examples of graymail would be, newsletters, mailing list, subscriptions, social media notifications, and so on. These messages were of use at some point in time but have subsequently diminished in value to the point where the end user no longer wants to receive them. The difference between graymail and spam is that the end user intentionally provided an email address at some point (for example, the end user subscribed to a newsletter on an e-commerce website or provided contact details to an organization during a conference) as opposed to spam, messages that the end user did not sign up for.

The graymail engine classifies each graymail message into one of the following categories:

• Marketing Email. Advertising messages sent by professional marketing groups, for example, bulletins from Amazon.com with details about their newly launched products.
• Social Network Email. Notification messages from social networks, dating websites, forums, and so on. Examples include alerts from:
  • LinkedIn, for jobs that you may be interested in
  • CNET forums, when a user responds to your post.
• Bulk Email. Advertising messages sent by unrecognized marketing groups, for example, newsletters from TechTarget, a technology media company.

• End user receives an email with graymail banner and they no longer want to receive messages from this sender.
• End user clicks on the unsubscribe button which is contained in the graymail banner across the top of the email.
• Cisco Graymail Unsubscribe then extracts and checks the reputation of the unsubscribe link If the link is malicious, it will block the page to the end user.
• If the link is legitimate, Cisco will execute the unsubscribe process on the user’s behalf.
• The unsubscribe status will then be displayed to the end user – it may take up to four hours for the unsubscribe to take effect.

Cisco URL Filtering allows control and protection against malicious or undesirable links that are introduced into our system within emails. Cisco URL Filtering will scan all URL's contained in an email and determine if the URL is safe to access. Filtering will re-write the URL if needed so the link takes the user to a Cisco Security Proxy first. This allows URLs to be scanned/checked by Cisco to determine the safety of the web-sites. If the site is determined to be unsafe, Cisco will block access.