Guest

Cisco Email Security Appliance

ESA FAQ: What does the SBRS value of "none" mean, and how can you detect these scores?

Document ID: 117903

Updated: Dec 08, 2014

Contributed by Chris Haag and Enrico Werner, Cisco TAC Engineers.

   Print

Introduction

This document describes how to understand and detect the SenderBase Reputation Score (SBRS).

What does the SBRS value of "none" mean, and how can you detect these scores?

The SBRS is assigned to an IP address based on over 50 different factors, such as email volume, user complaints, and spamtrap hits. The SBRS can range from -10 to +10, and reflects the probability that mail from a sending IP address is spam. Highly negative scores indicate senders who are very likely to send spam; highly positive scores indicate senders who are unlikely to send spam. 

However, some IP addresses have a SenderBase score of "none." If the ESA is unable to contact the SBRS servers, the connecting IP address receives a score of "none". SBRS data is very timely and the appliance does not cache SBRS scores beyond approximately 30 minutes. If there were an intermittent connection problem to the SBRS servers, it is possible that a previously "scored" IP address will show up as a "none" score.

Otherwise, the SenderBase score is based on objective data that SenderBase collects about an IP address. It is possible that there is not sufficient history and information for a given IP address to assign it an accurate reputation. This means that the volume of mail that comes from the IP address for the last 30 days is very low, or no mail has been seen in that time period. SenderBase determined that this IP address has low volume, which is calculated with a sample of total worldwide email traffic. If there is low volume for a given server/domain, it might not appear in the samples collected by SenderBase. The level of volume might not be high enough to be statistically significant. There is not an exact threshold for when the traffic is high enough to start accumulating a score, but current email traffic is estimated to be about ten billion messages per day. Top sending hosts on a given day may send close to ten million messages each day. Against this background, a server that sends a few hundred emails a day is not likely to register. There are no complaints about this IP address, and this address does not appear on any of the DNS-based blacklists.

Note: A score of "none" does not equate to a score of "0". A score of 0.0 means that SenderBase has collected equal amounts of positive and negative information about this sender, and has assigned it a neutral reputation

It is easy to add "none" reputation senders to a SENDERGROUP via the web GUI:

Go to Mail Policies > HAT Overview and choose a SENDERGROUP. Cisco recommends that you go to "SUSPECTLIST" > Edit Settings and check the checkbox to add the "none" scored senders to the group.

Note: Cisco does not recommend that you reject or drop connections from SBRS "none" senders. If there were an issue that prevents a connection to the highly redundant farm of SBRS servers, your Cisco Email Security Appliance (ESA) would drop all of your inbound mail. In most cases, you should either use an ACCEPT or THROTTLE mail flow policy instead

These sendergroups can be changed on a per-sender basis if you add the sender's IP address to a sender group in the Host Access Table (HAT). If you want to match a SenderBase Reputation Score of "none" in a message filter, you cannot input:

"if (reputation == "(?i)none""

This is because the reputation is a numeric value, and it cannot be compared to a string.  However, a simple negative filter will match "none" scores:

sbrs_none:
if not (reputation <= 10)
{
insert-header('X-SBRS-none', '$reputation');
}

Note: The behavior of SBRS score comparisons is the same if SBRS scores are disabled on a listener or if they are actually missing: in both cases, the data is missing.

Updated: Dec 08, 2014
Document ID: 117903