Guest

Cisco Email Security Appliance

How do I modify the subject header to flag messages that have a low SenderBase Reputation Score (SBRS)?

Document ID: 117977

Updated: Jul 17, 2014

Contributed by Nasir Shakour and Enrico Werner, Cisco TAC Engineers.

   Print

Question

How do I modify the subject header to flag messages that have a low SenderBase Reputation Score (SBRS)?

The SenderBase Reputation Score (SBRS) is a value between -10 and +10 for IP addresses reflecting the likelihood that an IP address is currently being used to send spam.  (Some addresses for which no information are available return a "none" score). You can use this score in many ways as part of your enterprise spam management policy.  Some network managers may want to tag messages with their SBRS scores to enable filters further down their email pipeline to act on the scores. 

To use SBRS scores, the listener must have SenderBase queries enabled.  This is the default behavior, and can only be changed from the CLI using listenerconfig->edit->setup.  (Note that even if SBRS is disabled, you will still see SBRS score reports of "None" for each sending host in the mail_logs file.)  The SBRS score is available for all messages (although it may be "None," meaning that no SBRS score is available for an IP address) based on the sending IP address of the message. 

The SBRS score is stored in a variable, $REPUTATION, that is available to you in message filters (and in other places). This variable can be tested to determine some filter action, and it can be used in filter actions such as adding headers to messages. The following message filter shows how you can add the SenderBase score and other HAT-based policy parameters as body headers to any message sent through a particular listener "InboundMail":

AddHATDataForInbound:
 If ( recv-inj == "InboundMail")
 {   
  insert-header ('X-SBRS', '$REPUTATION');
  insert-header ('X-SenderGroup', '$GROUP');
  insert-header ('X-MailFlowPolicy', '$POLICY');
 }

Note - Senders for which there are no SBRS scores will have a $REPUTATION value of "None"; senders that fall into no specific Sender Group will have a Sender Group of "<Unknown>" and a Mail Flow Policy of "$ACCEPTED".

The message filter below is more complex.  It always marks the SBRS score as an "X-" header in the message.  If the SBRS score is less than (or equal) -2.0, then it will also mark the reputation in the message subject at the end, enclosed in the right and left curly bracket characters.  This filter also tries not to mark the subject line more than once:

MarkSBRSinSubject:
if ( (recv-inj == "InboundMail") AND
  (subject != "\\{SBRS .*\\}$")          ) 
 {
  insert-header("X-SBRS", "$REPUTATION");
  if (reputation <= -2.0) 
  {
   strip-header("Subject");
   insert-header("Subject", "$Subject \\{SBRS $REPUTATION\\}");
  }
 }
Updated: Jul 17, 2014
Document ID: 117977