Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
0
Helpful
3
Replies

Incoming IPv6 hits sender group SUSPECTLIST due to lack of SBRS score

Michael Eriksson
Level 1
Level 1

‎01-04-2022 04:38 AM

I realized that all incoming connections using IPv6 to us has a no SBRS score and therefore are hitting the sender group SUSPECTLIST. Senders with no score should be treated as suspect according to Cisco best practice, but it becomes a problem when no sending IPv6 hosts seem to have a score. I searched on Talosintelligence.com about 50 IPv6 addresses of Swedish sending e-mail hosts, known to me. None of them have a SBRS score.

 

Anyone else experiencing this or am I alone?

 

It is really frustrating and hard to explain to our end users when perfectly ok e-mails don't arrive. I like to try and follow best practice, but it's not ok that 14 percent of legit incoming connections are blocked for not having a SBRS score.

 

I'm very grateful for all help I can get and hopefully with your help I can solve it.

 

Regards

 

Michael

Labels:
0 Helpful
3 Replies 3

SriramV
Cisco Employee
Cisco Employee

‎01-05-2022 03:24 AM

TALOS Sender IP Reputation system does support IPv6, Rise a defect with TAC team. 

0 Helpful

Michael Eriksson
Level 1
Level 1

‎01-05-2022 03:43 AM

Hi,

I just did and got a fast reply to read these articles. Didn't help a lot. 

 

“ESA FAQ: What does the SBRS value of "none" mean, and how can you detect these scores?”
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117903-qa-sbrs-00.html


also this one :
“How are SenderBase Reputation Scores (SBRS) determined, and what do they mean?”
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118380-technote-esa-00.html

 

I have answered them and hope for a more informative reply. If I get an answer I will update this thread.

 

Regards

Michael

0 Helpful

Michael Eriksson
Level 1
Level 1
In response to Michael Eriksson

‎01-13-2022 10:35 PM

Just wanted to inform that it wasn't much point opening a TAC. I closed it since we were getting nowhere in the matter, I hope it'll be better in the future. For now I will accept messages with no reputation since I work for a government agency that aren't very acceptable to false positives.

 

Regards

 

Michael

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents