Cisco Email Security Appliance

What does the SenderBase Reputation Score (SBRS) value of "none" mean, and how can I detect these scores?

Document ID: 117903

Updated: Jul 09, 2014

Contributed by Chris Haag and Enrico Werner, Cisco TAC Engineers.



What does the SenderBase Reputation Score (SBRS) value of "none" mean, and how can I detect these scores?

The SenderBase Reputation Score (SBRS) is assigned to an IP address based on over 50 different factors, such as email volume, user complaints, and spamtrap hits. The SBRS can range from -10 to +10, reflecting the probability that mail from a sending IP address is spam.  Highly negative scores indicate senders who are very likely to be sending spam; highly positive scores indicate senders who are unlikely to be sending spam.  However, some IP addresses will have a SenderBase score of "none."

If the ESA is unable to contact our SBRS servers, the connecting IP will receive a "none" score -- SBRS data is very timely and the appliance does not cache SBRS scores beyond about 30 minutes. If there were an intermittent connection problem to the SBRS servers, it is possible that a previously "scored" IP will show up as a "none" score.

Otherwise, the SenderBase score is based objective data that SenderBase collects about an IP address, it is possible that we do not have sufficient history and information for a given an IP address to assign it an accurate  reputation.  This means that:

The volume of mail coming from the IP address for the last 30 days is very low, or no mail has been seen during that time period.
There are no complaints about this IP address, and this address does not appear on any of the DNS-based blacklists.
Note: A score of "none" does not equate to a score of "0." . A score of 0.0 means that SenderBase has collected equal amounts of positive and negative information about this sender, and has assigned it a neutral reputation.

Adding "none" reputation senders to a SENDERGROUP is easy, via the web GUI:

Mail Policies > HAT Overview > Click a SENDERGROUP, we recommend your "SUSPECTLIST" > Edit Settings > Click the checkbox to add the none scored senders to the group.

NOTE: We do not recommend rejecting or dropping connections from SBRS "none" senders, if there were an issue preventing a connection to our highly redundant farm of SBRS servers, your ESA would drop all of your inbound mail.

If you want to match a SenderBase Reputation Score of none in a message filter, you can't say if (reputation == "(?i)none".  This is because the reputation is a numeric value, and cannot be compared to a string.  However, a simple negative filter will match none scores:

if not (reputation <= 10)
insert-header('X-SBRS-none', '$reputation');

Note that the behavior of SBRS score comparisons is the same if SBRS scores are disabled on a listener or if they are actually missing: in both cases, the data are missing.

Updated: Jul 09, 2014
Document ID: 117903