THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Migration to new field notice system
|Affected OS Type
||Affected Release Number
||Web Based Reputation Score (WBRS) ranges on ESA needs updating|
The Suspect range used in the Email Security Appliance's (ESA's) URL reputation has been changed from (-5.9 to +5.9) to (-5.9 to -5.0).
In ASYNCOS Version 8.5.5 for Email, Cisco introduced the URL Reputation feature in order to filter emails with URLs that fall into these four categories:
1. Malicious (-10 to -6.0)
2. Suspect (-5.9 to +5.9)
3. Clean (+6.0 to +10.0)
4. Custom range
On Thursday July 23, 2015 Cisco Threat Intelligence, through ongoing research and sensor information, realized that the current implementation of the Web Based Reputation Score (WBRS) service did not fully block malicious URL traffic. A decision was made to more aggressively block malicious URLs/domains. As a result of this change, a large numbers of URLs shifted score from the +3.0 to the -3.0 scoring.
Due to this recategorization, email messages which contain URLs that have changed the score might fall into other reputation ranges and might have been quarantined (or tagged, or any other action selected during configuration).
The change alters the behavior of the URL filtering on the ESAs if the default 'Suspect' range, or a custom range, is in use. These changes caused any of the message filters or content filters that use the URL Reputation condition to activate its action more frequently. The action can be 'tagging the message', 'quarantine', 'defang', BCC, 'drop', and so on.
If the new definition of Suspect range feels uncomfortable and you want to keep the same range, you do not need to change anything in your configuration. If the number of email messages that have been quarantined (or tagged, or any other action selected during configuration) is too high and you want to adapt to the new Suspect range, complete these steps:
1. Browse to your Incoming Content Filters via Mail Policies > Incoming Content Filters. Review all Contents filters with a condition or action(s) that leverages the Suspect or Custom URL range:
URL Reputation url-reputation(-5.90, 5.90 , "")
URL Reputation url-reputation-defang(-5.90, 5.90,"",0)
URL Reputation url-reputation-proxy-redirect(-5.90, 5.90,"",0)
URL Reputation url-reputation-replace(-5.90, 5.90,"myproxy.internal","",0)
2. Replace all identified actions or conditions with the new custom range:
URL Reputation url-reputation(-5.90, -5.0 , "")
URL Reputation url-reputation-defang(-5.90, -5.0,"",0)
URL Reputation url-reputation-proxy-redirect(-5.90, -5.0,"",0)
URL Reputation url-reputation-replace(-5.90, -5.0,"myproxy.internal","",0)
3. Once the content filters changes are complete, commit all changes.
Example of a Message Filter
URL_categories: if url-reputation(-5.90, 5.9 , "")
In order to change the existing message filter, complete these steps:
1. SSH into the appliance.
2. Enter the command filters.
3. Review the message filters that leverage the url-reputation, or have an action of url-reputation-defang, url-reputation-proxy-redirect, or url-reputation-replace.
4. Once the filter is identified, copy it to a text application.
5. Change all references to +5.9 to -5.0.
6. Enter the filters command again, follow the option of new, and paste your modified filter.
Example of a Changed Message Filter
URL_categories: if url-reputation(-5.90, -5.0 , "")
Once the message filters have been updated, commit all changes.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.