Cisco Cisco Email Security Appliance X1070 Information Guide
ESA FAQ: What does the SBRS value of "none"
mean, and how can you detect these scores?
mean, and how can you detect these scores?
Document ID: 117903
Contributed by Chris Haag and Enrico Werner, Cisco TAC Engineers.
Dec 08, 2014
Dec 08, 2014
Contents
Introduction
What does the SBRS value of "none" mean, and how can you detect these scores?
What does the SBRS value of "none" mean, and how can you detect these scores?
Introduction
This document describes how to understand and detect the SenderBase Reputation Score (SBRS).
What does the SBRS value of "none" mean, and how can
you detect these scores?
you detect these scores?
The SBRS is assigned to an IP address based on over 50 different factors, such as email volume, user
complaints, and spamtrap hits. The SBRS can range from −10 to +10, and reflects the probability that mail
from a sending IP address is spam. Highly negative scores indicate senders who are very likely to send spam;
highly positive scores indicate senders who are unlikely to send spam.
complaints, and spamtrap hits. The SBRS can range from −10 to +10, and reflects the probability that mail
from a sending IP address is spam. Highly negative scores indicate senders who are very likely to send spam;
highly positive scores indicate senders who are unlikely to send spam.
However, some IP addresses have a SenderBase score of "none." If the ESA is unable to contact the SBRS
servers, the connecting IP address receives a score of "none". SBRS data is very timely and the appliance does
not cache SBRS scores beyond approximately 30 minutes. If there were an intermittent connection problem to
the SBRS servers, it is possible that a previously "scored" IP address will show up as a "none" score.
servers, the connecting IP address receives a score of "none". SBRS data is very timely and the appliance does
not cache SBRS scores beyond approximately 30 minutes. If there were an intermittent connection problem to
the SBRS servers, it is possible that a previously "scored" IP address will show up as a "none" score.
Otherwise, the SenderBase score is based on objective data that SenderBase collects about an IP address. It is
possible that there is not sufficient history and information for a given IP address to assign it an accurate
reputation. This means that the volume of mail that comes from the IP address for the last 30 days is very low,
or no mail has been seen in that time period. SenderBase determined that this IP address has low volume,
which is calculated with a sample of total worldwide email traffic. If there is low volume for a given
server/domain, it might not appear in the samples collected by SenderBase. The level of volume might not be
high enough to be statistically significant. There is not an exact threshold for when the traffic is high enough
to start accumulating a score, but current email traffic is estimated to be about ten billion messages per day.
Top sending hosts on a given day may send close to ten million messages each day. Against this background,
a server that sends a few hundred emails a day is not likely to register. There are no complaints about this IP
address, and this address does not appear on any of the DNS−based blacklists.
possible that there is not sufficient history and information for a given IP address to assign it an accurate
reputation. This means that the volume of mail that comes from the IP address for the last 30 days is very low,
or no mail has been seen in that time period. SenderBase determined that this IP address has low volume,
which is calculated with a sample of total worldwide email traffic. If there is low volume for a given
server/domain, it might not appear in the samples collected by SenderBase. The level of volume might not be
high enough to be statistically significant. There is not an exact threshold for when the traffic is high enough
to start accumulating a score, but current email traffic is estimated to be about ten billion messages per day.
Top sending hosts on a given day may send close to ten million messages each day. Against this background,
a server that sends a few hundred emails a day is not likely to register. There are no complaints about this IP
address, and this address does not appear on any of the DNS−based blacklists.
Note: A score of "none" does not equate to a score of "0". A score of 0.0 means that SenderBase has collected
equal amounts of positive and negative information about this sender, and has assigned it a neutral reputation
equal amounts of positive and negative information about this sender, and has assigned it a neutral reputation
It is easy to add "none" reputation senders to a SENDERGROUP via the web GUI:
Go to Mail Policies > HAT Overview and choose a SENDERGROUP. Cisco recommends that you go to
"SUSPECTLIST" > Edit Settings and check the checkbox to add the "none" scored senders to the group.
"SUSPECTLIST" > Edit Settings and check the checkbox to add the "none" scored senders to the group.