cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

815
Views
5
Helpful
7
Replies
M.Aswad
Beginner

Cisco ESA SBRS Score

Hi Team,

 

Is it possible intermittent were occur for SBRS setup in ESA?

7 REPLIES 7
Mathew Huynh
Cisco Employee

Hey M.Aswad,

 

Intermittent issues can occur for SBRS if it's for a new IP we haven't looked up yet and not cached; and there is a delay within DNS to resolve the SBRS score.

 

SBRS scores are retrieved in the DNS Lookup at the time of connection - so delays here can impact the SBRS score verdicts and you can get intermittent unable to retrieve.

 

If it's happening on ALL connections - then we have an issue there that needs to be looked at.

 

Thanks,

Mathew

Hi Matthew,

 

 

Thanks for the explanation on the SBRS, however as per checking on the SBRS Score in message details, I can see the email was hit HAT Overview -> UNKNOWNLIST and the SBRS Score shows that unable to retrieve ..... do you have any suggestion for me to further checking on this issue.

 

Thanks,

Aswad

Hey Aswad,

 

Unable to retrieve could be numerous potential issues.

First thing i would suggest is make sure SBRS is able to connect to senderbase side -> telnet phonehome.senderbase.org 443

If this works, then we can move to the next step.

 

Depending on version (before 13.x i believe) use repengstatus and make sure it's available; if you're on a latter version use talosstatus on the CLI and make sure ip reputation client is updated.


If either are not updated; repengupdate force or talosupdate force

After which do a grep "SBRS" -t mail_logs and see if it improves or results are working now.


If it's still failing after these checks - i would encourage you to open a TAC case for deep rooted troubleshooting.

 

Thanks,

Mathew

Hi Mathew,

 

Noted your advice to check before opening a TAC case. I want to verify that " phonehome.senderbase.org " is not hosted by Cisco right?

 

Currently, we just only allow URLs on this website " https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_appendix_0101111.html#Cisco_Concept.dita_4423beca-f7e2-41ed-9123-4a9c838bb754 " and seems that this URL " phonehome.senderbase.org " is not included.

 
 
 
 

Thanks

Aswad

 
 

 

Senderbase.org is the backend behind SBRS (SenderBase Reputation Service) . It is Cisco.
Sounds like a documentation bug...


Here's the WHOIS data from TalosIntelligence.com (which more or less too over the functionality that was on the senderbase.org web site)
Domain Name: SENDERBASE.ORG
Registry Domain ID: D92764553-LROR
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2021-07-02T00:20:18Z
Creation Date: 2002-12-03T03:26:33Z
Registry Expiry Date: 2022-12-03T03:26:33Z
Registrar Registration Expiration Date:
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant Organization: Cisco Technology Inc.
Registrant State/Province: CA
Registrant Country: US
Name Server: USE1.AKAM.NET
Name Server: NS1-93.AKAM.NET
Name Server: NS1-73.AKAM.NET
Name Server: NS1-90.AKAM.NET
Name Server: ASIA3.AKAM.NET
Name Server: NS1-109.AKAM.NET
Name Server: NS1-11.AKAM.NET
Name Server: NS1-117.AKAM.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2021-10-07T20:00:24Z <<<

Hi Ken Stieers,

 

May I know if this PDF is correct " https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_11_1_appendix_0101111.pdf " related to the phonehome.senderbase.org. Since I cannot proceed with this solution if there is no KB from Cisco.

 

Currently, we did not allow this URL for now.

 

Thanks,

Aswad

 

I just checked the doc.

Page 3 in that doc, third entry on that page... phonehome.senderbase.org is listed.

 

phonehomesenderbase.PNG

 

 

 

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad