Emails submissions statuses are shown in the Status column of the Submissions page of the Email Status Portal. A status is subject to change as new data becomes available. Spam/Threat, Legitimate Email, and Graymail are the status options. If a user disagrees with the status, they can mark as agree/disagree. If the user disagrees, and the status might be a security concern, they should submit a dispute through TAC.
Classification status
| Email Submission | Definition | Submission Method | User Consideration for Submitting |
|---|---|---|---|
| Spam/Threat | Messages containing threats or unsolicited/undesired content. Spam or threat messages are never legitimate and may contain one or more of the following: phishing links, viral or malicious attachments, scams, malicious or otherwise untrustworthy links or general spam. |
|
User believes the message to contain a phishing link, viral or malicious attachments, scams, malicious or otherwise untrustworthy links or general spam. |
| Scam/Phish | The email contains a fraudulent scheme or attempt to deceive the recipient for gain or fraud. It may include an attempt to use a fake identity. |
|
Messages contain uunsolicited or unwanted offers or requests, such as for illegal acts or substances, fake employment offers, specialty items or procedures, stock and lottery scams, etc. Phish messages contain an attempt to pose as a trusted entity, such as a financial institution or known person, company, or domain. Message might include a malicious link or supposedly secure third party message or file system that would instead steal information. |
| Malware | The email contains malicious content or links to malicious resources. |
|
There is an exploit or malicious file linked or attached to the email. |
| Legitimate | Legitimate (good) email, not spam. Also known as ‘Ham.’ |
|
Detected to contain a phishing link, viral or malicious attachment, scam, malicious or otherwise untrustworthy links or general spam, but submitting user considers the message legitimate. |
| Graymail |
Graymail is legitimate (not Spam) email that is commercial bulk email, often marketing. Usually subscription based, sometimes unwanted. Users may have knowingly or unknowingly solicited mail from the sender. For example swiping a badge at a conference or making an online purchase, etc. Legitimate subscription-based marketing email will have a working unsubscribe mechanism. |
|
Graymail message, but was not automatically detected as graymail. |
| No Determination | Email submissions with this status do not yet have enough data to be accurately classified. As with other statuses, this could change as more data becomes available on this submission (for instance, more users report it with the same classification, etc.). Resubmitting the same sample from the same account will not change the status. Duplicate reports are not counted by the Talos processors. |
|
N/A |
| Limited Use | Email submissions with this status cannot be used consistently across all our machine learning systems because they are missing context or include message artifacts, such as post-delivery warning markup that hasn't been removed. In the future, additional context might be gathered from it. |
|
N/A |
Rejected Statuses:
Instead of Spam/Threat, Legitimate, or Graymail, some statuses will give a rejected verdict. Email submissions can be rejected if they are submitted incorrectly, are outdated, or if they fit into specific exception categories. Rejected submissions cannot be further processed. However, users can re-submit email samples that were initially submitted incorrectly; see [How to Submit Email Messages to Cisco] (https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214133-how-to-submit-email-messages-to-cisco.html). The table below breaks down the various types of rejected submissions.
| Rejected Status | Reason | Able to re-submit? |
|---|---|---|
| Reject: not submitted correctly | Message was not submitted as an RFC-822 MIME encoded attachment (for example, was submitted as an inline-forward), one or more original internet headers are missing or malformed, or the original message content or link was modified in any way, including for security reasons. See this link for instructions on native sender callouts for external messages if a workaround is required. Rejected submissions cannot be further processed. | Yes |
| Reject: simulated phishing | Message is an internal company phishing training exercise and is exempt from classification. | No |
| Reject: duplicate | Submissions with this status are considered duplicates of previously submitted messages and are exempt from being classified. | No |
| Reject: bounce | Email is a bounce notification, sent to indicate that a message was not delivered. Bounce emails are exempt from classification because they are informational and standardized. | No |
| Reject: other | Submissions with this status may be out of date or another exempt type of message such as: auto-replies, challenge responses, or legitimate email messages discussing Spam content. | No |
Reject: Simulated Phish
The submission processors recognize the major phishing education and testing services and exclude those samples from our Anti-Spam detection, allowing them through to simulate phishing attempts. Users can submit these test messages, in order to practice good detection habits. However, these are not real phish missed by our detection. We list these as “Simulated Phish” for full transparency for our customers.
Reject: Other
If our processors can determine the reason for a Rejected status, we provide it in the status. Otherwise, it will be reject: other.
Incorrect submission processes often lead to “Reject: Other” statuses. For instance, if the submitter included the original email message as an in-line forward without the original headers, our processors may not have adequate data to form a classification.
Bulk messages caveat: The intended use of the Email Status Portal is for individual users to submit individual email messages. Bulk messages (e.g. ~1000’s per day) generated by scripts or other automated tooling are not guaranteed to be processed. The most reliable way to submit messages in bulk is to release them from quarantine. Messages released from quarantine will not be shown in the Email Status Portal.
Customers should engage with Cisco TAC to diagnose specific submission issues.
Differing Statuses
Note that if multiple identical copies of the same email are submitted with different suggested types, the status results may differ across those duplicate messages.
