Cisco Cisco Email Security Appliance X1070 Information Guide
Contents
How do I modify the subject header to flag messages that have a low SenderBase ReputationScore (SBRS)?
How do I modify the subject header to flag messages that
have a low SenderBase Reputation Score (SBRS)?
have a low SenderBase Reputation Score (SBRS)?
The SenderBase Reputation Score (SBRS) is a value between -10 and +10 for IP addresses,
which reflects the likelihood that an IP address is currently used to send spam. (Some addresses
for which no information is available return a "none" score). You can use this score in many ways
as part of your enterprise spam management policy. Some network managers might want to tag
messages with their SBRS scores in order to enable filters further down their email pipeline to act
on the scores.
which reflects the likelihood that an IP address is currently used to send spam. (Some addresses
for which no information is available return a "none" score). You can use this score in many ways
as part of your enterprise spam management policy. Some network managers might want to tag
messages with their SBRS scores in order to enable filters further down their email pipeline to act
on the scores.
In order to use SBRS scores, the listener must have SenderBase queries enabled. This is the
default behavior and can only be changed from the CLI with the listenerconfig->edit->setup
command. (Note that even if SBRS is disabled, you will still see SBRS score reports of "None" for
each sending host in the mail_logs file.) The SBRS score is available for all messages, although it
might be "None" which means that no SBRS score is available for an IP address based on the
sending IP address of the message.
default behavior and can only be changed from the CLI with the listenerconfig->edit->setup
command. (Note that even if SBRS is disabled, you will still see SBRS score reports of "None" for
each sending host in the mail_logs file.) The SBRS score is available for all messages, although it
might be "None" which means that no SBRS score is available for an IP address based on the
sending IP address of the message.
The SBRS score is stored in a variable, $REPUTATION, that is available to you in message filters
and in other places. This variable can be tested in order to determine some filter action and it can
be used in filter actions such as addition of headers to messages. This message filter shows how
you can add the SenderBase score and other HAT-based policy parameters as body headers to
any message sent through a particular listener "InboundMail":
and in other places. This variable can be tested in order to determine some filter action and it can
be used in filter actions such as addition of headers to messages. This message filter shows how
you can add the SenderBase score and other HAT-based policy parameters as body headers to
any message sent through a particular listener "InboundMail":
AddHATDataForInbound:
If ( recv-inj == "InboundMail")
{
insert-header ('X-SBRS', '$REPUTATION');
insert-header ('X-SenderGroup', '$GROUP');
insert-header ('X-MailFlowPolicy', '$POLICY');
}
Note: Senders for which there are no SBRS scores will have a $REPUTATION value of
"None". Senders that fall into no specific Sender Group will have a Sender Group of
"<Unknown>" and a Mail Flow Policy of "$ACCEPTED".
"None". Senders that fall into no specific Sender Group will have a Sender Group of
"<Unknown>" and a Mail Flow Policy of "$ACCEPTED".
This message filter is more complex. It always marks the SBRS score as an "X-" header in the
message. If the SBRS score is less than (or equal) -2.0, then it will also mark the reputation in the
message subject at the end, enclosed in the right and left curly bracket characters. This filter also
tries not to mark the subject line more than once:
message. If the SBRS score is less than (or equal) -2.0, then it will also mark the reputation in the
message subject at the end, enclosed in the right and left curly bracket characters. This filter also
tries not to mark the subject line more than once:
MarkSBRSinSubject:
if ( (recv-inj == "InboundMail") AND
(subject != "\\{SBRS .*\\}$") )
{
insert-header("X-SBRS", "$REPUTATION");
if (reputation <= -2.0)
{
strip-header("Subject");