This document describes what data is sent from the Email Security Appliance (ESA) to SenderBase when SenderBase Network Participation is enabled.
What data is sent to SenderBase when SenderBase Network Participation is enabled?
The ESA can participate in SenderBase in several different ways, including retrieving SenderBase scores and feeding SenderBase information about attachments and email volumes.
SenderBase Score Retrieval Information Disclosure
SBRS scores are retrieved by DNS queries. Any SMTP listener that has SBRS enabled at the listener level CLI: listenerconfig > edit > setup will query the SenderBase servers for information about email senders based on their IP address. These queries disclose several things about your company to SenderBase. Because SenderBase DNS data are only available to Cisco customers, the SenderBase queries include part of your system serial number. In addition, because SenderBase queries ask about a particular IP address, the query itself discloses that certain IP addresses are connecting to your ESA. Information sent to and from SenderBase regarding SBRS scores is not encrypted.
You can avoid disclosing this information to SenderBase by disabling SenderBase queries on a per-listener basis. This can only be done in the ESA's CLI as shown below.
Note: SenderBase queries are enabled by default on every listener even if you do not use them in any Sender Groups.
The CLI dialog shown below gives an example of how you can disable sending SenderBase queries:
Currently configured listeners: 1. InboundMail (on Data 2, 192.168.195.101) SMTP TCP Port 25 Public 2. OutboundMail (on Data 1, 172.20.0.101) SMTP TCP Port 25 Private
Choose the operation you want to perform: - NEW - Create a new listener. - EDIT - Modify a listener. - DELETE - Remove a listener. - SETUP - Change global settings. > EDIT
Enter the name or number of the listener you wish to edit. > 1
Name: InboundMail Type: Public Interface: Data 2 (192.168.195.101/24) TCP Port 25 Protocol: SMTP Default Domain: Max Concurrency: 50 (TCP Queue: 50) Domain Map: Disabled TLS: No SMTP Authentication: Enabled Bounce Profile: Default Use SenderBase For Reputation Filters and IP Profiling: Yes Footer: None LDAP: smtpauth (PublicLDAP.smtpauth)
Choose the operation you want to perform: - NAME - Change the name of the listener. - INTERFACE - Change the interface. - LIMITS - Change the injection limits. - SETUP - Configure general options. - HOSTACCESS - Modify the Host Access Table. - RCPTACCESS - Modify the Recipient Access Table. - BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener. - MASQUERADE - Configure the Domain Masquerading Table. - DOMAINMAP - Configure domain mappings. - LDAPACCEPT - Configure an LDAP query to determine whether a recipient address should be accepted or bounced/dropped. - SMTPAUTH - Configure an SMTP authentication. > SETUP
Listener InboundMail Options
Default Domain: example.com Add "Received:" Header: Yes Clean messages of bare CR/LF: Yes Enable SenderBase Reputation Filters and IP Profiling: Yes SenderBase query timeout: 5 SenderBase per-connection timeout: 20 Footer Attachment: <none configured> Address Parser Type: Loose
Choose the operation you want to perform: - DEFAULTDOMAIN - Configure a default domain name. - RECEIVED - Set whether or not a Received: header is added. - CLEANSMTP - Set whether or not to repair bare CR and LF in messages. - SENDERBASE - Set SenderBase options. - FOOTER - Configure to add a footer to every message. - ADDRESS - Configure email address restrictions. > SENDERBASE
Would you like to enable SenderBase Reputation Filters and IP Profiling support? [Y]> N
Listener InboundMail Options
Default Domain: example.com Add "Received:" Header: Yes Clean messages of bare CR/LF: Yes Enable SenderBase Reputation Filters and IP Profiling: No Footer Attachment: <none configured> Address Parser Type: Loose
SenderBase Data Disclosure
The ESA can send additional information to SenderBase specifically for the purpose of improving response time in threat detection and mail volume changes. Cisco recognizes that privacy is important to you, so SenderBase is designed and operated with the protection of your privacy in mind. SenderBase does not collect individually identifying information for messages or recipients and any information about your network is treated confidentially by Cisco.You can enable or disable the sending of information to SenderBase either in the GUI or within the CLI. To control SenderBase participation in the GUI, select Security Services > SenderBase. The following CLI example shows disabling of SenderBase information sharing:
mail.example.com> senderbaseconfig Share statistical data with SenderBase: Enabled
Choose the operation you want to perform: - SETUP - Configure SenderBase Network Participation settings > setup
Do you want to share statistical data with the SenderBase Information Service (recommended)? [Y]> n
The system will no longer share data with SenderBase. Are you sure you want to disable? [N]> y
Share statistics with SenderBase Information Service: Disabled
Choose the operation you want to perform: - SETUP - Configure SenderBase Network Participation settings >