Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1741
Views
5
Helpful
4
Replies

CES - Sender base

Go to solution
AndreasKvist
Level 1
Level 1

‎09-03-2019 12:43 AM

Dear all, 

I´ve got a question regarding CES engines. The first process is filtering the known bad senders. Called Sender Profile Filtering, which is the first filtering process. 

 

So, is this filtering process done locally, on box, or is this done as a Cloud process?

 

BR

 

Andreas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎09-03-2019 03:35 AM

Hello Andreas,

From what I understand, you are here talking in the context of the HAT overview (under Mail Policies tab in GUI), it is the first check that the emails coming into the ESA appliance hit.
In this HAT overview, we have various sendergroups created such as WHITELIST, SUSPECTLIST, BLACKLIST, UNKNOWNLIST, RELAYLIST etc.

Each sendergroup is assigned a range of SBR score on the ESA appliance locally (most of the time WHITELIST and RELAYLIST are not given any score range).

Each emails coming to the ESA appliance is sent by a MTA (Mail Transfer Agent) having a particular IP address assigned to it. As soon as email reaches, the ESA checks for the probability of the score (as it is a highly dynamic entity) for the given IP address from its Sender Base Reputation services which connects to a cloud infrastructure (referred to as Cisco TALOS) and fetch the score for the email received.
Based on the score, the email falls under one of the sendergroup created and is acted upon by the mail flow policy attached to the sendergroup.
In mail flow policies, we define the number of connection is allowed to be formed, any security feature to be used etc.

After this, the email passes along further to the email pipeline in the workqueue (having all the engines processing such as Anti-spam, Antivirus etc).

Please find below some articles which will provide you with more information on the same:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_0101.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118381-technote-esa-00.html

Cisco TALOS site: https://talosintelligence.com

I hope the above information helps in your understanding.

Cheers,
Pratham

View solution in original post

4 Replies 4

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎09-03-2019 03:35 AM

Hello Andreas,

From what I understand, you are here talking in the context of the HAT overview (under Mail Policies tab in GUI), it is the first check that the emails coming into the ESA appliance hit.
In this HAT overview, we have various sendergroups created such as WHITELIST, SUSPECTLIST, BLACKLIST, UNKNOWNLIST, RELAYLIST etc.

Each sendergroup is assigned a range of SBR score on the ESA appliance locally (most of the time WHITELIST and RELAYLIST are not given any score range).

Each emails coming to the ESA appliance is sent by a MTA (Mail Transfer Agent) having a particular IP address assigned to it. As soon as email reaches, the ESA checks for the probability of the score (as it is a highly dynamic entity) for the given IP address from its Sender Base Reputation services which connects to a cloud infrastructure (referred to as Cisco TALOS) and fetch the score for the email received.
Based on the score, the email falls under one of the sendergroup created and is acted upon by the mail flow policy attached to the sendergroup.
In mail flow policies, we define the number of connection is allowed to be formed, any security feature to be used etc.

After this, the email passes along further to the email pipeline in the workqueue (having all the engines processing such as Anti-spam, Antivirus etc).

Please find below some articles which will provide you with more information on the same:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_0101.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118381-technote-esa-00.html

Cisco TALOS site: https://talosintelligence.com

I hope the above information helps in your understanding.

Cheers,
Pratham

Go to solution
AndreasKvist
Level 1
Level 1
In response to ppreenja

‎09-03-2019 04:52 AM

Hello!

Your response was what I was looking for. Thanks. 

 

And, thanks for the links as well. 

 

BR

Andreas

 

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to AndreasKvist

‎09-03-2019 05:01 AM

Hello Andreas,

Glad to know that I could help.

It was my pleasure to answer your query.

Cheers,
Pratham
0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎09-03-2019 03:38 AM

Ita done locally.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents