User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Email Security Appliance C680

121

122

123

124

125

126

127

128

129

130

6-7

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Chapter 6 Sender Reputation Filtering

Entering Low SBRS Scores in the Message Subject

Note In the $THROTTLED policy, the maximum recipients per hour from the remote host is set to 20

recipients per hour, by default. Note that this setting controls the maximum throttling available. You can

increase the number of recipients to receive per hour if this parameter is too aggressive. For more

information on Default Host Access policies, see Understanding Predefined Sender Groups and Mail

Flow Policies, page 7-11.

Monitoring the Status of the SenderBase Reputation Service

The SenderBase page in the Security Services menu displays the connection status and the timestamp of

the most recent query from the appliance to the SenderBase Network Status Server and SenderBase

Reputation Score Service. The SenderBase Reputation Score Service sends the SRBS scores to the

appliance. The SenderBase Network Server sends the appliance information about the IP addresses,

domains, and organizations that are sending mail to you. AsyncOS uses this data for its reporting and

email monitoring features.

Figure 6-3 SenderBase Network Status on the SenderBase Page

The sbstatus command in CLI displays the same information.

Entering Low SBRS Scores in the Message Subject

Although Cisco recommends throttling, an alternate way to use the SenderBase Reputation Service is to

modify the subject line of suspected spam messages. To do this, use the message filter shown in

Table 6-2. This filter uses the

reputation filter rule and the strip-header and insert-header filter

actions to replace the subject line of messages having a SenderBase Reputation Score lower than -2.0

with a subject line that includes the actual SenderBase Reputation Score represented as:

{Spam SBRS}.

Replace listener_name in this example with the name of your public listener. (The period on its own line

is included so that you can cut and paste this text directly into the command line interface of the

filters

command.)

Table 6-2 Message Filter to Modify Subject Header with SBRS: Example 1

sbrs_filter:

if ((recv-inj == "listener_name" AND subject != "\\{Spam -?[0-9.]+\\}"))

{

insert-header("X-SBRS", "$REPUTATION");

if (reputation <= -2.0)

{

strip-header("Subject");