Managing Graymail

This chapter contains the following sections:

Overview of Graymail, page 1

Graymail Management Solution in Email Security Appliance, page 1
How Graymail Management Solution Works, page 3
Configuring Graymail Detection and Safe Unsubscribing, page 5
Troubleshooting Graymail Detection and Safe Unsubscribing, page 10

Overview of Graymail
Graymail messages are messages that do not fit the definition of spam, for example, newsletters, mailing list
subscriptions, social media notifications, and so on. These messages were of use at some point in time, but
have subsequently diminished in value to the point where the end user no longer wants to receive them.
The difference between graymail and spam is that the end user intentionally provided an email address at
some point (for example, the end user subscribed to a newsletter on an e-commerce website or provided
contact details to an organization during a conference) as opposed to spam, messages that the end user did
not sign up for.

Graymail Management Solution in Email Security Appliance

The graymail management solution in the Email Security appliance comprises of two components: an integrated
graymail scanning engine and a cloud-based Unsubscribe Service.
The graymail management solution allows organizations to:
Identify graymail using the integrated graymail engine and apply appropriate policy controls.
Provide an easy mechanism for end users to unsubscribe from unwanted messages using Unsubscribe
Service.

In addition to these, the graymail management solution also help organizations to provide:
Secure unsubscribe option for end users. Mimicking an unsubscribe option is a popular phishing
technique. For this reason, the end users are generally wary of clicking unknown unsubscribe links. For

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
1
 Managing Graymail
Graymail Classification

such scenarios, the cloud-based Unsubscribe Service extracts the original unsubscribe URI, checks the
reputation of the URI, and then performs the unsubscribe process on behalf of the end user. This protects
end users from malicious threats masquerading as unsubscribe links.
Uniform subscription management interface for end users. Different graymail senders use different
layouts for displaying unsubscribe links to the users. The users must search for the unsubscribe link in
the message body and perform the unsubscribing. Irrespective of the graymail senders, the graymail
management solution provides a common layout for displaying unsubscribe links to the users.
Better visibility for administrators into various graymail categories. The graymail engine classifies
each graymail into three categories (see Graymail Classification, on page 2) and the administrators
can set policy controls based on these categories.
Improved spam efficacy

Graymail Classification
The graymail engine classifies each graymail into one of the following categories:
Marketing Email. Advertising messages sent by professional marketing groups, for example, bulletins
from Amazon.com with details about their newly launched products.
Social Network Email. Notification messages from social networks, dating websites, forums, and so
on. Examples include alerts from:
LinkedIn, for jobs that you may be interested in
CNET forums, when a user responds to your post.

Bulk Email. Advertising messages sent by unrecognized marketing groups, for example, newsletters
from TechTarget, a technology media company.

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
2
 Managing Graymail
How Graymail Management Solution Works

How Graymail Management Solution Works

The following steps illustrates the workflow of graymail management solution:

Figure 1: Graymail Management Solution Workflow

Workflow

Step 1 The Email Security appliance receives an incoming message.

Step 2 The Email security appliance checks if graymail detection is enabled. If graymail detection is enabled, go to Step 3. Else,
go to Step 8
Step 3 The Email Security appliance checks if the message is spam, virus, or malware positive. If positive, go to Step 8. Else,
go to Step 4
Step 4 The Email Security appliance checks if the message is graymail. If the message is graymail, go to Step 5. Else, go to
Step 8
Step 5 The Email Security appliance applies the configured policy actions such as, drop, deliver, bounce, or quarantine to the
spam quarantine.
Step 6 The Email Security appliance checks if safe unsubscribing enabled. If safe unsubscribing is enabled, go to Step 7. Else,
go to Step 8.
Step 7 The Email Security appliance adds a banner with unsubscribe button to the message. Also, the Email Security appliance
rewrites the existing unsubscribe links in the message body.
Step 8 The Email Security appliance processes the message through the next stages of its email work queue.

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
3
 Managing Graymail
How Safe Unsubscribing Works

How Safe Unsubscribing Works

The following flow diagram shows how safe unsubscribing works.

Figure 2: Safe Unsubscribing Workflow

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
4
 Managing Graymail
Configuring Graymail Detection and Safe Unsubscribing

Workflow

Step 1 End user receives a message with the graymail banner.

Step 2 End user clicks on the Unsubscribe link.
Step 3 Unsubscribe Service extracts the original unsubscribe URI.
Step 4 Unsubscribe Service checks the reputation of the URI.
Step 5 Depending on the reputation of the URI, the Unsubscribe Service performs one of the following actions:
If the URI is malicious, the Unsubscribe Service will not perform the unsubscribe process and displays a block
page to the end user.
If the URI is not malicious, depending on the URI type ( http or mailto ), the Unsubscribe Service sends an
unsubscribe request to the graymail sender.
If the request is successful, the Unsubscribe Service displays the Successfully unsubscribed status to the
end user.
If the first unsubscribe request fails, the Unsubscribe Service displays the Unsubscribe process in progress
status and provides a URL that can be used to track the status of the unsubscribing.
End users can use this URL to track the status at a later point. After the first failed attempt, the Unsubscribe
Service sends periodic unsubscribe requests for a duration of four hours.
If an end user checks the status of the unsubscribe process at a later point,
If one of the requests within the four hour duration (from the first failed attempt) is successful, the Unsubscribe
Service displays the Successfully unsubscribed status to the end user.
If none of the requests within the four hour duration (from the first failed attempt) are successful, the
Unsubscribe Service displays the Unable to subscribe status to the end user and provides a URL that can
be used to unsubscribe from the graymail manually.

Configuring Graymail Detection and Safe Unsubscribing

Requirements for Graymail Detection and Safe Unsubscribing
For graymail detection, anti-spam scanning must be enabled globally. This can be either the IronPort
Anti-Spam or the Intelligent Multi-Scan feature. See Anti-Spam
For safe unsubscribing,
Add the safe unsubscribing feature key.
The end user machines must be able to connect to the cloud-based Unsubscribe Service directly
over the Internet.

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
5
 Managing Graymail
Graymail Detection and Safe Unsubscribing in Cluster Configurations

Graymail Detection and Safe Unsubscribing in Cluster Configurations

You can enable Graymail Detection and Safe Unsubscribing at the machine, group or cluster level.

Enable Graymail Detection and Safe Unsubscribing

Before You Begin
Meet the Requirements for Graymail Detection and Safe Unsubscribing, on page 5.

Step 1 Click Security Services > Detection and Safe Unsubscribe.

Step 2 Click Edit Global Settings.
Step 3 Check Enable Graymail Detection.
Step 4 (Optional) To optimize the throughput of your appliance while still being able to scan increasingly larger messages sent
by graymail senders, configure the thresholds for message scanning:
Maximum size of the message that you want the appliance to scan.
The number of seconds to wait for timeout when scanning a message.

Step 5 (Optional) Click Enable Automatic Updates to enable automatic update of the engine.
The appliance fetches the required updates for the particular engine from the update server.

Step 6 Check Enable Safe Unsubscribe.

Step 7 Submit and commit your changes.

What to Do Next
To configure Graymail Detection and Safe Unsubscribing global settings in CLI, use the graymailconfig
command. For more information, see CLI Reference Guide for AsyncOS for Cisco Email Security Appliances
.

Configuring the Incoming Mail Policy for Graymail Detection and Safe
Unsubscribing
Before You Begin
Enable Graymail Detection and Safe Unsubscribing, on page 6

Step 1 Click Mail Policies > Incoming Mail Policies.

Step 2 Click the link in the Graymail column of the mail policy to modify.
Step 3 Depending on your requirements, choose the following options:
Enable graymail detection

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
6
 Managing Graymail
Bypassing Graymail Actions using Message Filters

Enable safe unsubscribing

Choose whether to apply the above actions on all messages or only on unsigned messages.
Note The appliance considers a message signed if it is encrypted using S/MIME or it contains an S/MIME
signature.
Actions to be taken on various graymail categories (Marketing Email, Social Network Email, and Bulk Email):
Drop, deliver, bounce, or quarantine (to the spam quarantine) the message
Note If you plan to use safe unsubscribing option, you must set the action to deliver or quarantine.

Send the message to an alternate host

Modify subject of the message
Add custom headers
Send the message to an alternate envelope recipient
Note If you are sending a graymail positive message to an alternate envelope recipient, banner will not be
added.
Archive the message
Note If you are planning only to monitor the detected graymail, you can enable graymail detection per
policy without having to configure actions for various graymail categories. In this scenario, the Email
Security appliance takes no action on the detected graymail.

Step 4 Submit and commit your changes.

What to Do Next

Note You can also configure outgoing mail policies for graymail detection. Keep in mind that, in this scenario,
you cannot configure safe unsubscribing.
To configure policy settings for Graymail Detection and Safe Unsubscribing in CLI, use the policyconfig
command. For more information, see CLI Reference Guide for AsyncOS for Cisco Email Security Appliances
.

Bypassing Graymail Actions using Message Filters

If you do not want to apply graymail actions on certain messages, you can use the following message filters
to bypass graymail actions:

Message Filter Action Description

skip-marketingcheck Bypass actions on marketing emails

skip-socialcheck Bypass actions on social network emails

skip-bulkcheck Bypass actions on bulk emails

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
7
 Managing Graymail
Monitoring Graymail

The following example specifies that messages received on the listener private_listener must bypass graymail
actions on social network emails.

internal_mail_is_safe:
if (recv-listener == 'private_listener')
{
skip-socialcheck
();
}

Monitoring Graymail
You can view data about detected graymail using the following reports.

Report Contains the Following Graymail More Info

Data
Overview page > Incoming Mail The number of incoming graymail Overview Page
Summary messages under each graymail
category (Marketing, Social, and
Bulk) and the total number of
graymail messages.

Incoming Mail page > Top Senders The top graymail senders. Incoming Mail Page
by Graymail Messages

Incoming Mail page > Incoming The number of incoming graymail

Mail Details messages under each graymail
category (Marketing, Social, and
Bulk) and the total number of
graymail messages for all the IP
addresses, domain names, or
network owners.

Incoming Mail page > Incoming The number of incoming graymail

Mail Details > Sender Profile (drill messages under each graymail
down view) category (Marketing, Social, and
Bulk) and the total number of
graymail messages for a given IP
address, domain name, or network
owner.

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
8
 Managing Graymail
Updating Graymail Rules

Report Contains the Following Graymail More Info

Data
Internal Users page > Top Users The top end users who receive Internal Users Page
by Graymail graymail.

Internal Users page > User Mail
Flow Details
The number of incoming graymail
messages under each graymail
category (Marketing, Social, and
Bulk) and the total number of
graymail messages for all the users.

Internal Users page > User Mail The number of incoming graymail
Flow Details > Internal User (drill messages under each graymail
down view) category (Marketing, Social, and
Bulk) and the total number of
graymail messages for a given user.

If you had enabled Marketing Email Scanning under anti-spam settings for a mail policy, after upgrading to
AsyncOS 9.5 or later, keep in mind that:
The number of marketing messages is a sum of marketing messages detected before and after the upgrade.
The total number of graymail messages does not include the number of marketing messages detected
before the upgrade.
The total number of attempted messages also includes the number of marketing messages detected before
the upgrade.

Updating Graymail Rules

If you have enabled service updates, scanning rules for the graymail management solution is retrieved from
the Cisco update servers. But in some scenarios (for example, you have disabled automatic service updates
or automatic service update is not working), you may want to manually update graymail rules.
To manually update the graymail rules, do one of the following:
In web interface, go to Security Service > Graymail Detection and Safe Unsubscribing page, and
click Update Now.
In CLI, run the graymailupdate command.

To know the details of existing graymail rules, see the Rule Updates section of the Graymail Detection and
Safe Unsubscribing page in web interface or use the graymailstatus command in CLI.

Customizing the Appearance of Unsubscribe Page for End Users

When an end user clicks on unsubscribe link, the Unsubscribe Service displays a Cisco branded Unsubscribe
page indicating the status of the unsubscribe process (see How Safe Unsubscribing Works, on page 4). You
can customize the appearance of the Unsubscribe page and display your organizations branding (such as

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
9
 Managing Graymail
End-User Safelist

company logo, contact information, and so on) using Security Services > Block Page Customization. For
instructions, see Customizing the Notification That End Users See If a Site Is Malicious.

End-User Safelist
If the end users in your organization have configured Safelist for their own email accounts, graymail messages
from a sender in the safelist will not be scanned by the graymail scanning engine. For more information about
Safelists, see Using Safelists and Blocklists to Control Email Delivery Based on Sender.

Viewing Logs
The graymail detection and safe unsubscribing information is posted to the following logs:
Graymail Engine Logs. Contains information about the graymail engine, status, configuration, and so
on. Most information is at Info or Debug level.
Graymail Archive. Contains archived messages (the messages that are scanned and associated with the
archive message action). The format is an mbox-format log file.
Mail Logs. Contains information about graymail detection and addition of banner for safe unsubscribing.
Most information is at Info or Debug level.

Troubleshooting Graymail Detection and Safe Unsubscribing

Unable to Perform Safe Unsubscribing
Problem
After clicking on the Unsubscribe link, the end user sees the following message: Unable to unsubscribe
from...
Solution
This problem can occur if the Unsubscribe Service is unable to perform the safe unsubscribe on behalf of the
end user. The following are some of the common scenarios in which the Unsubscribe Service is unable to
perform the safe unsubscribe:
Unsubscribe URI or mailto address is wrong.
Websites that require the end users credentials to unsubscribe.
Websites that require the end users to confirm the request of unsubscribing by logging into their email
accounts.
Websites that require captcha to be solved and the Unsubscribe Service is unable to solve the captcha.
Websites that require interactive unsubscribing.

The end users can use the URL provided at the bottom of the unsubscribe page to unsubscribe manually.

User Guide for AsyncOS 11.0 for Cisco Email Security Appliances
10