Sender Reputation Filtering

This chapter contains the following sections:

Overview of Sender Reputation Filtering

Sender reputation filtering is the first layer of spam protection, allowing you to control the messages that come through the email gateway based on senders’ trustworthiness as determined by the Cisco SenderBase™ Reputation Service.

The appliance can accept messages from known or highly reputable senders — such as customers and partners — and deliver them directly to the end user without any content scanning. Messages from unknown or less reputable senders can be subjected to content scanning, such as anti-spam and anti-virus scanning, and you can also throttle the number of messages you are willing to accept from each sender. Email senders with the worst reputation can have their connections rejected or their messages bounced based on your preferences.


Note
File reputation filtering is a separate service. For information, see File Reputation Filtering and File Analysis

SenderBase Reputation Service

The Cisco SenderBase Reputation Service, using global data from the SenderBase Affiliate network, assigns a SenderBase Reputation Score to email senders based on complaint rates, message volume statistics, and data from public blocked lists and open proxy lists. The SenderBase Reputation Score helps to differentiate legitimate senders from spam sources. You can determine the threshold for blocking messages from senders with low reputation scores.

The SenderBase Security Network website ( https://talosintelligence.com) provides a global overview of the latest email and web-based threats, displays current email traffic volume by country, and allows you to look up reputation scores based on IP address, URI or Domain.


Note
The SenderBase Reputation Service is only available with a current anti-spam feature key.

Related Topics

SenderBase Reputation Score (SBRS)

The SenderBase Reputation Score (SBRS) is a numeric value assigned to an IP address based on information from the SenderBase Reputation Service. The SenderBase Reputation Service aggregates data from over 25 public blocked lists and open proxy lists, and combines this data with global data from SenderBase to assign a score from -10.0 to +10.0, as follows:

Score

Meaning

-10.0

Most likely to be a source of spam

0

Neutral, or not enough information to make a recommendation

+10.0

Most likely to be a trustworthy sender

The lower (more negative) the score, the more likely that a message is spam. A score of -10.0 means that this message is “guaranteed” to be spam, while a score of 10.0 means that the message is “guaranteed” to be legitimate.

Using the SBRS , you configure the appliance to apply mail flow policies to senders based on their trustworthiness. (You can also create message filters to specify “thresholds” for SenderBase Reputation Scores to further act upon messages processed by the system. For more information, refer to “SenderBase Reputation Rule” and “Bypass Anti-Spam System Action.”)

Figure 1. The SenderBase Reputation Service


  1. SenderBase affiliates send real-time, global data
  2. Sending MTA opens connection with the appliance
  3. Appliance checks global data for the connecting IP address
  4. SenderBase Reputation Service calculates the probability that this message is spam and assigns a SenderBase Reputations Score
  5. Cisco returns the response based on the SenderBase Reputation Score

How SenderBase Reputation Filters Work

Sender Reputation filter technology aims to shunt as much mail as possible from the remaining security services processing that is available on the appliance . (See Understanding the Email Pipeline.)

When sender reputation filtering is enabled, mail from known bad senders is simply refused. Known good mail from global 2000 companies is automatically routed around the spam filters, reducing the chance of false positives. Unknown, or “grey” email is routed to the anti-spam scanning engine. Using this approach, Sender Reputation filters can reduce the load on the content filters by as much as 50%.

Figure 2. Sender Reputation Filtering Example


Recommended Settings for Different Sender Reputation Filtering Approaches

Depending on the objectives of your enterprise, you can implement a conservative, moderate, or aggressive approach.

Approach

Characteristics

Allowed _List

Blocked_ List

Suspectlist

Unknownlist

Sender Base Reputation Score range:

Conservative

Near zero false positives, better performance

7 to 10

-10 to -4

-4 to -2

-2 to 7

Moderate

(Installation default)

Very few false positives, high performance

Sender BaseReputation Scores are not used.

-10 to -3

-3 to -1

-1 to +10

Aggressive

Some false positives, maximum performance.

This option shunts the most mail away from Anti-Spam processing.

4 to 10

-10 to -2

-2 to -1

-1 to 4

All approaches

Mail Flow Policy:

Trusted

Blocked

Throttled

Accepted

Editing Sender Reputation Filtering Score Thresholds for a Listener

Use this procedure if you want to change the default SenderBase Reputation Service (SBRS) score thresholds or add a sender group for reputation filtering.


Note
Other settings related to (SBRS) Score thresholds, and Mail Flow Policy settings, are described in Defining Which Hosts Are Allowed to Connect Using the Host Access Table

Before You Begin

Procedure

Step 1

Select Mail Policies > HAT Overview.

Step 2

Select the public listener from the Sender Groups (Listener) menu.

Step 3

Click the link for a sender group.

For example, click the “SUSPECTLIST” link.

Step 4

Click Edit Settings.

Step 5

Enter the range of SenderBase Reputation Scores for this sender group.

For example, for “ALLOWED_LIST,” enter the range 7.0 to 10.

Step 6

Click Submit.

Step 7

Repeat as needed for each sender group for this listener.

Step 8

Commit changes.

What to do next

Related Topics

Testing Sender Reputation Filtering Using the SBRS

Unless you regularly receive a large portion of spam, or you have set up “dummy” accounts to specifically receive spam for your organization, it may be difficult to immediately test the SBRS policies you have implemented. However, if you add entries for reputation filtering with SenderBase Scores into a listener’s HAT as indicated in the following table, you will notice that a smaller percentage of inbound mail will be “unclassified.”

Test the policies using the trace command with an arbitrary SBRS. See Debugging Mail Flow Using Test Messages: Trace. The trace command is available in the CLI as well as the GUI.

Table 1. Suggested Mail Flow Policies for Implementing the SBRS

Policy Name

Primary Behavior (Access Rule)

Parameters

Value 


$BLOCKED


REJECT
 

None
 

$THROTTLED


ACCEPT

Maximum messages / session:

Maximum recipients / message:

Maximum message size:

Maximum concurrent connections:

Use Spam Detection:

Use TLS:

Maximum recipients / hour:

Use SenderBase:

10

20

1 MB

10

ON

OFF

20 (recommended)

ON 


$ACCEPTED

(Public Listener) 


ACCEPT

Maximum messages / session:

Maximum recipients / message:

Maximum message size:

Maximum concurrent connections:

Use Spam Detection:

Use TLS:

Use SenderBase:

1,000

1,000

100 MB

1,000

ON

OFF

ON 


$TRUSTED


ACCEPT

Maximum messages / session:

Maximum recipients / message:

Maximum message size:

Maximum concurrent connections:

Use Spam Detection:

Use TLS:

Maximum recipients / hour:

Use SenderBase:

1,000

1,000

100 MB

1,000

OFF

OFF

-1 (disabled)

OFF


Note
In the $THROTTLED policy, the maximum recipients per hour from the remote host is set to 20 recipients per hour, by default. Note that this setting controls the maximum throttling available. You can increase the number of recipients to receive per hour if this parameter is too aggressive. For more information on Default Host Access policies, see Understanding Predefined Sender Groups and Mail Flow Policies.

Monitoring the Status of the SenderBase Reputation Services

The SenderBase Reputation Score Service sends the SBRS scores to the appliance. The SenderBase Network Server sends the appliance information about the IP addresses, domains, and organizations that are sending mail to you. AsyncOS uses this data for its reporting and email monitoring features.

To view the status of the connections to these services, select Security Services > SenderBase.

The SenderBase page in the Security Services menu displays the connection status and the timestamp of the most recent query from the appliance to the SenderBase Network Status Server and SenderBase Reputation Score Service.

The sbstatus command in CLI displays the same information.

Entering Low SBRS Scores in the Message Subject

Although Cisco recommends throttling, an alternate way to use the SenderBase Reputation Service is to modify the subject line of suspected spam messages. To do this, use the message filter shown in the following table. This filter uses the reputation filter rule and the strip-header and insert-header filter actions to replace the subject line of messages having a SenderBase Reputation Score lower than -2.0 with a subject line that includes the actual SenderBase Reputation Score represented as: {Spam SBRS}. Replace listener_name in this example with the name of your public listener. (The period on its own line is included so that you can cut and paste this text directly into the command line interface of the filters command.)

Table: Message Filter to Modify Subject Header with SBRS: Example 1 

sbrs_filter: 

if ((recv-inj == "listener_name
" AND subject != "\\{Spam -?[0-9.]+\\}")) 

{

       insert-header("X-SBRS", "$REPUTATION");

       if (reputation <= -2.0) 

{

       strip-header("Subject");

       insert-header("Subject", "$Subject \\{Spam $REPUTATION\\}");

      }

 }

.

Related Topic