cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
155
Views
5
Helpful
4
Replies
Highlighted
Beginner

CES - Sender base

Dear all, 

I´ve got a question regarding CES engines. The first process is filtering the known bad senders. Called Sender Profile Filtering, which is the first filtering process. 

 

So, is this filtering process done locally, on box, or is this done as a Cloud process?

 

BR

 

Andreas

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CES - Sender base

Hello Andreas,

From what I understand, you are here talking in the context of the HAT overview (under Mail Policies tab in GUI), it is the first check that the emails coming into the ESA appliance hit.
In this HAT overview, we have various sendergroups created such as WHITELIST, SUSPECTLIST, BLACKLIST, UNKNOWNLIST, RELAYLIST etc.

Each sendergroup is assigned a range of SBR score on the ESA appliance locally (most of the time WHITELIST and RELAYLIST are not given any score range).

Each emails coming to the ESA appliance is sent by a MTA (Mail Transfer Agent) having a particular IP address assigned to it. As soon as email reaches, the ESA checks for the probability of the score (as it is a highly dynamic entity) for the given IP address from its Sender Base Reputation services which connects to a cloud infrastructure (referred to as Cisco TALOS) and fetch the score for the email received.
Based on the score, the email falls under one of the sendergroup created and is acted upon by the mail flow policy attached to the sendergroup.
In mail flow policies, we define the number of connection is allowed to be formed, any security feature to be used etc.

After this, the email passes along further to the email pipeline in the workqueue (having all the engines processing such as Anti-spam, Antivirus etc).

Please find below some articles which will provide you with more information on the same:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_0101.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118381-technote-esa-00.html

Cisco TALOS site: https://talosintelligence.com

I hope the above information helps in your understanding.

Cheers,
Pratham
4 REPLIES 4
Cisco Employee

Re: CES - Sender base

Hello Andreas,

From what I understand, you are here talking in the context of the HAT overview (under Mail Policies tab in GUI), it is the first check that the emails coming into the ESA appliance hit.
In this HAT overview, we have various sendergroups created such as WHITELIST, SUSPECTLIST, BLACKLIST, UNKNOWNLIST, RELAYLIST etc.

Each sendergroup is assigned a range of SBR score on the ESA appliance locally (most of the time WHITELIST and RELAYLIST are not given any score range).

Each emails coming to the ESA appliance is sent by a MTA (Mail Transfer Agent) having a particular IP address assigned to it. As soon as email reaches, the ESA checks for the probability of the score (as it is a highly dynamic entity) for the given IP address from its Sender Base Reputation services which connects to a cloud infrastructure (referred to as Cisco TALOS) and fetch the score for the email received.
Based on the score, the email falls under one of the sendergroup created and is acted upon by the mail flow policy attached to the sendergroup.
In mail flow policies, we define the number of connection is allowed to be formed, any security feature to be used etc.

After this, the email passes along further to the email pipeline in the workqueue (having all the engines processing such as Anti-spam, Antivirus etc).

Please find below some articles which will provide you with more information on the same:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_0101.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118381-technote-esa-00.html

Cisco TALOS site: https://talosintelligence.com

I hope the above information helps in your understanding.

Cheers,
Pratham
Beginner

Re: CES - Sender base

Hello!

Your response was what I was looking for. Thanks. 

 

And, thanks for the links as well. 

 

BR

Andreas

 

Cisco Employee

Re: CES - Sender base

Hello Andreas,

Glad to know that I could help.

It was my pleasure to answer your query.

Cheers,
Pratham
Collaborator

Re: CES - Sender base

Ita done locally.