According to Cisco, this feature is not enabled by default, and, it said, “deployment guides for these products do not require this feature to be directly exposed to the internet.” This makes it sound as if customers enabling the feature would be the exception.
While that’s probably true — exposing a service like this through a public port goes against best practice — one use case referenced in Cisco’s User Guide would be to allow remote users to check quarantined spam for themselves. The number of organizations using these products that have enabled it for this reason is, of course, impossible to say.
To reprise, Cisco said that vulnerable customers are those running Cisco AsyncOS Software with both Spam Quarantine turned on and exposed to and reachable from the internet. Given that no workarounds are possible, this implies that simply turning off access through a public interface (by default, port 6025, or 82/83 for the web portal) isn’t sufficient on its own.
