42
7-3
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter7 Reputation Filtering
Reputation Filtering: the Cisco IronPort SenderBase Reputation
Service
The Cisco IronPort SenderBase Reputation Service (available at
http://www.senderbase.org
) is a service designed to help email administrators
better manage incoming email streams by providing objective data about the
identity of senders. The SenderBase Reputation Service is similar to a credit
reporting service for email; it provides data that enterprises can use to
differentiate legitimate senders from spam sources. Integrated directly into the
Cisco IronPort appliance GUI, the SenderBase Reputation Service provides
objective data that allows you to identify reliably and block IP addresses
originating unsolicited commercial email (UCE) or to verify the authenticity of
legitimate incoming email from business partners, customers, or any other
important source. The SenderBase Reputation Service is unique in that it provides
a global view of email message volume and organizes the data in a way that makes
it easy to identify and group related sources of email.
Note
If your Cisco IronPort appliance is set to receive mail from a local MX/MTA, you
must identify upstream hosts that may mask the sender's IP address. See Incoming
Relays, page 8-30 for more information.
Several key elements of the SenderBase Reputation Service are that it is:
•
Non-spoofable
The email sender’s reputation is based on the IP addresses of the email sender.
Because SMTP is a two-way conversation over TCP/IP, it is nearly impossible to
“spoof” an IP address — the IP address presented must actually be controlled by
the server sending the message.
•
Comprehensive
The SenderBase Reputation Service uses global data from the SenderBase
Affiliate network such as complaint rates and message volume statistics as well
as data from carefully selected public blacklists and open proxy lists to determine
the probability that a message from a given source is spam.
•
Configurable
Unlike other “identity-based” anti-spam techniques like blacklists or whitelists
that return a simple yes/no decision, the SenderBase Reputation Service returns a
graduated response based on the probability that a message from that source is
31
Chapter7 Reputation Filtering
7-4
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
spam. This allows you to set your own threshold for where you choose to block
spam and automatically assign senders to different groups based on their
SenderBase Reputation Score.
SenderBase Reputation Score (SBRS)
The SenderBase Reputation Score (SBRS) is a numeric value assigned to an IP
address based on information from the SenderBase Reputation Service. The
SenderBase Reputation Service aggregates data from over 25 public blacklists
and open proxy lists, and combines this data with global data from SenderBase to
assign a score from -10.0 to +10.0, as follows:
The lower (more negative) the score, the more likely that a message is spam. A
score of -10.0 means that this message is “guaranteed” to be spam, while a score
of 10.0 means that the message is “guaranteed” to be legitimate.
Using the SBRS, you configure the Cisco IronPort appliance to apply mail flow
policies to senders based on their trustworthiness. (You can also create message
filters to specify “thresholds” for SenderBase Reputation Scores to further act
upon messages processed by the system. For more information, refer to
“SenderBase Reputation Rule” and “Bypass Anti-Spam System Action” in the
“Using Message Filters to Enforce Email Policies” chapter in the Cisco IronPort
AsyncOS for Email Advanced Configuration Guide.)
Score
Meaning
-10.0
Most likely to be a source of spam
0
Neutral, or not enough information to make a recommendation
+10.0
Most likely to be a trustworthy sender
40
7-5
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter7 Reputation Filtering
Figure 7-1
The SenderBase Reputation Service
Step 1
SenderBase affiliates send real-time, global data
Step 2
Sending MTA opens connection with the Cisco IronPort appliance
Step 3
Cisco IronPort appliance checks global data for the connecting IP address
Step 4
SenderBase Reputation Service calculates the probability this message is spam
and assigns a SenderBase Reputations Score
Step 5
Cisco IronPort returns the response based on the SenderBase Reputation Score
Sending MTA
SBRS Scoring Engine
•Global complaint data
•Global volume data
SenderBase Affiliate Network
1
5
3
4
2
1.2.3.4
HELO
1.2.3.4
Rule hits
SBRS = x.x
250-Recipient Accepted
or
452-Too many recipients this hour
or
554-Access Denied
for
1.2.3.4
IronPort appliance
40
Chapter7 Reputation Filtering
7-6
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Implementing SenderBase Reputation Filters
Cisco IronPort Reputation Filter technology aims to shunt as much mail as
possible from the remaining security services processing that is available on the
Cisco IronPort appliance. (See Understanding the Email Pipeline, page4-1.)
When enabling reputation filtering, mail from known bad senders is simply
refused. Known good mail from global 2000 companies is automatically routed
around the spam filters, reducing the chance of false positives. Unknown, or
“grey” email is routed to the anti-spam scanning engine. Using this approach,
reputation filters can reduce the load on the content filters by as much as 50%.
Figure 7-2
Reputation Filtering Example
Table 7-2 lists a set of recommended policies for implementing SenderBase
reputation filtering. Depending on the objectives of your enterprise, you can
implement a conservative, moderate, or aggressive approach.
Note
Although Cisco recommends throttling, an alternative for implementing the
SenderBase Reputation Service is to modify the subject line of suspected spam
messages. To do this, use the following message filter shown in Table7-1. This
filter uses the
reputation
filter rule and the
strip-header
and
insert-header
filter actions to replace the subject line of messages with a SenderBase Reputation
Score lower than -2.0 with a subject line that includes the actual SenderBase
Reputation Score represented as:
{Spam
SBRS
}
. Replace listener_name in this
example with the name of your public listener. (The period on its own line is
included so that you can cut and paste this text directly into the command line
interface of the
filters
command.)
VB.NET PDF: Basic SDK Concept of XDoc.PDF file text processing like text writing, extracting, searching, etc and methods to process the data of a class provides APIs for converting PDF files to other
extract data from pdf form; how to extract data from pdf file using java
29
7-7
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter7 Reputation Filtering
Refer to “Using Message Filters to Enforce Email Policies” chapter in the Cisco
IronPort AsyncOS for Email Advanced Configuration Guide. for more
information.
Table 7-1
Message Filter to Modify Subject Header with SBRS: Example 1
Configuring Reputation Filtering
Configure reputation filtering via the Mail Policies > HAT Overview page. For
more information, see Implementing SenderBase Reputation Filters, page7-6.
Conservative
A conservative approach is to block messages with a SenderBase Reputation
Score lower than -4.0, throttle between -4.0 and -2.0, apply the default policy
between -2.0 and +6.0, and apply the trusted policy for messages with a score
greater than +6.0. Using this approach ensures a near zero false positive rate while
achieving better system performance.
sbrs_filter:
if ((recv-inj == "listener_name" AND subject != "\\{Spam -?[0-9.]+\\}"))
{
insert-header("X-SBRS", "$REPUTATION");
if (reputation <= -2.0)
{
strip-header("Subject");
insert-header("Subject", "$Subject \\{Spam $REPUTATION\\}");
}
}
.
How to C#: Basic SDK Concept of XDoc.PDF for .NET file text processing like text writing, extracting, searching, etc and methods to process the data of a class provides APIs for converting PDF files to other
extract data from pdf forms; extract data from pdf file
44
Chapter7 Reputation Filtering
7-8
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Moderate
A moderate approach is to block messages with a SenderBase Reputation Score
lower than -3.0, throttle between -3.0 and 0, apply the default policy between 0
and +6.0, and apply the trusted policy for messages with a score greater than +6.0.
Using this approach ensures a very small false positive rate while achieving better
system performance (because more mail is shunted away from Anti-Spam
processing).
Aggressive
An aggressive approach is to block messages with a SenderBase Reputation Score
lower than -2.0, throttle between -2.0 and 0.5, apply the default policy between 0
and +4.0, and apply the trusted policy for messages with a score greater than +4.0.
Using this approach, you might incur some false positives; however, this approach
maximizes system performance by shunting the most mail away from Anti-Spam
processing.
Note
Users are also recommended to assign all messages with a SenderBase Reputation
Score greater than 6.0 to the $TRUSTED policy.
Table 7-2
Recommended Phased Approach to Implementing Reputation
Filtering using the SBRS
Policy
Blacklist
Throttle
Default
Whitelist
Conservative
-10 to -4
-4 to -2
-2 to 7
7 to 10
Moderate
-10 to -3
-3 to -1
-1 to 6
6 to 10
Aggressive
-10 to -2
-2 to -0.5
-0.5 to 4
4 to 10
28
7-9
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter7 Reputation Filtering
The steps below outline a phased approach to implementing reputation filtering:
Implementing Reputation Filtering in a Listener’s HAT
To edit the default HAT entries for a public listener to include SBRS, perform the
following steps:
Step 1
From the Mail Policies tab, select Host Access Table > HAT Overview. Select the
public listener from the Sender Groups (Listener) menu. The HAT Overview page
shows the SenderBase Reputation Score settings for each Sender Group.
Policy:
Characteristics:
Mail Flow Policy to
Apply:
Conservative:
Near zero false positives, better
performance
$BLOCKED
Moderate:
Very few false positives, high
performance
$THROTTLED
Aggressive:
Some false positives, maximum
performance
$DEFAULT
18
Chapter7 Reputation Filtering
7-10
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Figure 7-3
Listing Sender Groups’ SenderBase Reputation Score Ranges
The HAT Overview shows the range of SenderBase Reputation Scores that
are assigned to each sender group (the horizontal bar) as well as the
associated mail flow policy.
Step 2
Click the link for a sender group.
For example, click the “SUSPECTLIST” link. The Edit Sender Group page is
displayed:
Figure 7-4
Modifying a Sender Group’s SBRS Ranges
Step 3
Type the range of SenderBase Reputation Scores to define the sender group. You
can also define an optional comment.
47
7-11
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Chapter7 Reputation Filtering
For example, for “SUSPECTLIST,” enter a range from -4.0 to 0. Refer to
Sender Groups defined by SenderBase Reputation Scores, page 5-31 for the
syntax.
Step 4
Click Submit.
Repeat steps 2-5 for each group in the listener’s HAT. For example, define the
values for conservative approach. You can configure the values shown in
Table 7-2 for a moderate or aggressive approach as well.
Note
Remember that order matters when defining sender groups in a listener’s
HAT. (The HAT is read from top to bottom for each host that attempts to
connect to the listener. If a rule matches a connecting host, the action is
taken for that connection immediately.) Cisco recommends maintaining
the default order of the predefined sender groups in a listener’s HAT —
that is, RELAYLIST (C10/100 customers only), followed by
WHITELIST, BLACKLIST, SUSPECTLIST, and UNKNOWNLIST.
Step 5
Click the Commit Changes button, add an optional comment if necessary, and
then click Commit Changes to finish implementing reputation filtering in a
listener’s HAT.
Testing Reputation Filtering Using the SBRS
Unless you regularly receive a large portion of spam, or you have set up “dummy”
accounts to specifically receive spam for your organization, it may be difficult to
immediately test the SBRS policies you have implemented. However, if you add
entries for reputation filtering with SenderBase Reputation Scores into a listener’s
HAT as indicated in Table7-3, you will notice that a smaller percentage of
inbound mail will be “unclassified.”
Sender Group
SBRS Range
Mail Flow
Policy
WHITELIST
6 to 10
TRUSTED
BLACKLIST
-10 to -7
BLOCKED
SUSPECTLIST
-7 to -2
THROTTLED
UNKOWNLIST
-2 to 6
ACCEPTED
78
Chapter7 Reputation Filtering
7-12
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
You test the policies you have created using the
trace
command with an arbitrary
SBRS. See Debugging Mail Flow Using Test Messages: Trace, page-446. The
trace
command is available in the CLI as well as the GUI.
Table 7-3
Suggested Mail Flow Policies for Implementing the SBRS
Policy Name
Primary
Behavior
(Access
Rule)
Parameters
Value
$BLOCKED
REJECT
None
$THROTTLED
ACCEPT
Maximum messages / session:
Maximum recipients / message:
Maximum message size:
Maximum concurrent connections:
Use Spam Detection:
Use TLS:
Maximum recipients / hour:
Use SenderBase:
10
20
1 MB
10
ON
OFF
20
(recommended)
ON
$ACCEPTED
(Public
Listener)
ACCEPT
Maximum messages / session:
Maximum recipients / message:
Maximum message size:
Maximum concurrent connections:
Use Spam Detection:
Use TLS:
Use SenderBase:
1,000
1,000
100 MB
1,000
ON
OFF
ON
$TRUSTED
ACCEPT
Maximum messages / session:
Maximum recipients / message:
Maximum message size:
Maximum concurrent connections:
Use Spam Detection:
Use TLS:
Maximum recipients / hour:
Use SenderBase:
1,000
1,000
100 MB
1,000
OFF
OFF
-1
(disabled)
OFF
Documents you may be interested
Documents you may be interested