Overview of Sender Domain Reputation Filtering
Cisco Talos Sender Domain Reputation (SDR) is a cloud service that provides a reputation verdict for email messages based on the domains provided in the email envelope and header. Examples may include domains from - HELO/EHLO strings, envelope and header "From" addresses, "Reply-to" addresses, and "List-Unsubscribe" headers.
The domain-based reputation analysis enables a higher spam catch rate by looking beyond the reputation of shared IP addresses, hosting or infrastructure providers, and derives verdicts based on features that are associated with fully qualified domain names (FQDNs) and other sender information in the Simple Mail Transfer Protocol (SMTP) conversation and message headers.
The Sender Domain Age option is replaced with Sender Maturity from AsyncOS 14.2.x release onwards. Sender Maturity is an important feature to establish sender reputation. Sender Maturity is automatically generated for spam classification based on multiple sources of information and can differ from “Whois-based domain age.” Sender Maturity is set to a limit of 30 days, and beyond this limit, a domain is considered mature as an email sender, and no further details are provided.
From this release onwards, an additional Sender Domain Reputation check is performed after the sender header of the message is received. Messages with a Threat Level that matches the configured SDR reject level (in your email gateway) are rejected.
Note |
From this release onwards, the 'SDR Domain Age' configured filters are automatically updated to the 'SDR Sender Maturity' filters. The filters with an invalid value for Sender Maturity are marked as 'inactive' after the upgrade. Make sure you review and modify the message and content filters accordingly. |
Note |
The Sender Maturity functionality uses the current time of your email gateway to display the Sender Maturity information in the logs and to match the required filter conditions. Make sure your email gateway is configured with the correct time based on your time zone. |
After you upgrade to AsyncOS 14.2.x release, the legacy SDR verdicts in the content or message filters, reporting, and message tracking are replaced with the new SDR verdicts as follows:
-
Untrusted
-
Questionable
-
Neutral
-
Favorable
-
Trusted
-
Unknown
For more information about the recommended actions, you can take for each new SDR verdict, see SDR Verdicts.
For more information, see the Cisco Talos Sender Domain Reputation (SDR) white paper in the Security Track of the Cisco Customer Connection program at http://www.cisco.com/go/ccp.
Note |
|
SDR Verdicts
The following table lists the SDR verdict names, descriptions, and recommended actions:
Verdict Name |
Description |
Recommended Action |
---|---|---|
Untrusted |
The worst reputation verdict. Safest recommended blocking threshold. Expect to see false-negatives (FN) if the blocking threshold is set to only this verdict, which prioritizes delivery over security. |
Block the message. |
Questionable |
This verdict has a low and relatively safe false-positive (FP) rate and might not be safe for all organizations. Not blocking on this verdict prioritizes delivery over security, but it results in false-negatives. |
Scan the message with the other engines configured on your email gateway. Block only after review. For more information, see Tuning Sender Domain Reputation Policy. |
Neutral |
The most common verdict, assigned to legitimate and mixed-use domains, associated with weak indicators that prevent a favorable verdict. |
Scan the message with the other engines configured on your email gateway. |
Favorable |
The sender is using a fair domain that is not a new domain. The sender is following sender best practices, including, but not limited to using SPF, DKIM-signing, employing DMARC, and not sending spam. |
Scan the message with the other engines configured on your email gateway. |
Trusted |
A rare verdict that indicates the sender is using a certified domain, where messages are authenticated by DKIM (aligned on the “From:” header domain). |
Allow the message. For more information on how to bypass subsequent engines , use Message Filter rules such as "skip-spamcheck," "skip-viruscheck," and so on, see the “Message Filter Actions” section in the Using Message Filters to Enforce Email Policies. |
Unknown |
The sender is using domains that SDR does not recognize or cannot use to establish a reputation. |
Scan the message with the other engines configured on your email gateway. |