Hi Matthew,

 

 

Thanks for the explanation on the SBRS, however as per checking on the SBRS Score in message details, I can see the email was hit HAT Overview -> UNKNOWNLIST and the SBRS Score shows that unable to retrieve ..... do you have any suggestion for me to further checking on this issue.

Thanks,

Aswad

Hey Aswad,

 

Unable to retrieve could be numerous potential issues.

First thing i would suggest is make sure SBRS is able to connect to senderbase side -> telnet phonehome.senderbase.org 443

If this works, then we can move to the next step.

 

Depending on version (before 13.x i believe) use repengstatus and make sure it's available; if you're on a latter version use talosstatus on the CLI and make sure ip reputation client is updated.

If either are not updated; repengupdate force or talosupdate force

After which do a grep "SBRS" -t mail_logs and see if it improves or results are working now.

If it's still failing after these checks - i would encourage you to open a TAC case for deep rooted troubleshooting.

 

Thanks,

Mathew

Hi Mathew,

 

Noted your advice to check before opening a TAC case. I want to verify that " phonehome.senderbase.org " is not hosted by Cisco right?

 

Currently, we just only allow URLs on this website " https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_appendix_0101111.html#Cisco_Concept.dita_4423beca-f7e2-41ed-9123-4a9c838bb754 " and seems that this URL " phonehome.senderbase.org " is not included.

Thanks

Aswad

 

Senderbase.org is the backend behind SBRS (SenderBase Reputation Service) . It is Cisco.
Sounds like a documentation bug...


Here's the WHOIS data from TalosIntelligence.com (which more or less too over the functionality that was on the senderbase.org web site)
Domain Name: SENDERBASE.ORG
Registry Domain ID: D92764553-LROR
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2021-07-02T00:20:18Z
Creation Date: 2002-12-03T03:26:33Z
Registry Expiry Date: 2022-12-03T03:26:33Z
Registrar Registration Expiration Date:
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Reseller:
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registrant Organization: Cisco Technology Inc.
Registrant State/Province: CA
Registrant Country: US
Name Server: USE1.AKAM.NET
Name Server: NS1-93.AKAM.NET
Name Server: NS1-73.AKAM.NET
Name Server: NS1-90.AKAM.NET
Name Server: ASIA3.AKAM.NET
Name Server: NS1-109.AKAM.NET
Name Server: NS1-11.AKAM.NET
Name Server: NS1-117.AKAM.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2021-10-07T20:00:24Z <<<

Hi Ken Stieers,

 

May I know if this PDF is correct " https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_11_1_appendix_0101111.pdf " related to the phonehome.senderbase.org. Since I cannot proceed with this solution if there is no KB from Cisco.

 

Currently, we did not allow this URL for now.

 

Thanks,

Aswad

 

I just checked the doc.

Page 3 in that doc, third entry on that page... phonehome.senderbase.org is listed.