Incoming email messages are processed in the following order in the ESA:

• Reputation filters: This component provides threat prevention using reputation filters. It's the first line of defence of spam protection for emails entering an organization. Acceptance is based on the sender's trustworthiness; this can be affected if a domain is known for sending high volumes of marketing emails or if the domain is infected with malware. This is based on online-reputation service databases. Any known good email is routed around spam filters, and unknown emails are routed to the anti-spam filters.
• Message filters: Incoming email messages are subjected to policy enforcement with message filters. This is the second line of defence; the email content security system implements message filters that use special rules and describe how to process messages and attachments.
• Antispam: This component handles spam detection on incoming messages. It uses text filters and client filters, email reputation, message content, message structure, and web reputation.
• Antivirus: This component is the virus-detection engine for identifying and blocking any sort of viruses, such Trojans, worms, and bots, from entering the organization via email.
• Advanced Malware Protection: As mentioned in the previous section, Cisco AMP is integrated in the Cisco ESA for improved reputation scanning, file analysis, and the detection of malware in attachments and incoming email messages.
• Content Filters: The content filters component handles the filtering of specific file types or content, adding disclaimers and rerouting messages to other systems.
• Outbreak Filters: The last line of defence is the outbreak filters, used to block newly released viruses and stops files with infected file characteristics: