488
Views
0
Helpful
3
Replies
SDR query
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2024 03:09 AM
Hello All,
Need some help in understanding Sender Domain reputation in Cisco CES
1. Does having good sbrs score still a domain can be a threat category. PFA
2. What needs to be add in domain exception list, so that next time sdr would not be scan for such domains. Would it be suspect domains, dns hostname, env-from, header-from or reply-to ?. PFA
Labels:
- Labels:
-
Email Security
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2024 08:54 AM
1. Yes. That's the whole point of SDR... SBRS is IP based. With so much of email moving to cloud providers, you can't just block based on IP because many companies are using those IPs.
2. SDR by default checks against 'Envelope-From:', 'From:' and 'Reply-to.
If you check the "Include Additional Attributes" it also checks agains the "username" part of emails in those headers as well as the Display Name in From and Reply-To headers.
________________________________
This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
2. SDR by default checks against 'Envelope-From:', 'From:' and 'Reply-to.
If you check the "Include Additional Attributes" it also checks agains the "username" part of emails in those headers as well as the Display Name in From and Reply-To headers.
________________________________
This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2024 10:40 PM
So adding envelope sender or real-sender works in domain exception list ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2024 07:29 AM
>From https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0/user_guide/b_ESA_Admin_Guide_16-0/b_ESA_Admin_Guide_12_1_chapter_01100.html
ESA User Guide for 16.0
Overview of Sender Domain Reputation Filtering
Cisco Talos Sender Domain Reputation (SDR) is a cloud service that provides a reputation verdict for email messages based on the domains provided in the email envelope and header. Examples may include domains from - HELO/EHLO strings, envelope and header "From" addresses, "Reply-to" addresses, and "List-Unsubscribe" headers.
The domain-based reputation analysis enables a higher spam catch rate by looking beyond the reputation of shared IP addresses, hosting or infrastructure providers, and derives verdicts based on features that are associated with fully qualified domain names (FQDNs) and other sender information in the Simple Mail Transfer Protocol (SMTP) conversation and message headers.
The Sender Domain Age option is replaced with Sender Maturity from AsyncOS 14.2.x release onwards. Sender Maturity is an important feature to establish sender reputation. Sender Maturity is automatically generated for spam classification based on multiple sources of information and can differ from "Whois-based domain age." Sender Maturity is set to a limit of 30 days, and beyond this limit, a domain is considered mature as an email sender, and no further details are provided.
>From this release onwards, an additional Sender Domain Reputation check is performed after the sender header of the message is received. Messages with a Threat Level that matches the configured SDR reject level (in your email gateway) are rejected.
ESA User Guide for 16.0
Overview of Sender Domain Reputation Filtering
Cisco Talos Sender Domain Reputation (SDR) is a cloud service that provides a reputation verdict for email messages based on the domains provided in the email envelope and header. Examples may include domains from - HELO/EHLO strings, envelope and header "From" addresses, "Reply-to" addresses, and "List-Unsubscribe" headers.
The domain-based reputation analysis enables a higher spam catch rate by looking beyond the reputation of shared IP addresses, hosting or infrastructure providers, and derives verdicts based on features that are associated with fully qualified domain names (FQDNs) and other sender information in the Simple Mail Transfer Protocol (SMTP) conversation and message headers.
The Sender Domain Age option is replaced with Sender Maturity from AsyncOS 14.2.x release onwards. Sender Maturity is an important feature to establish sender reputation. Sender Maturity is automatically generated for spam classification based on multiple sources of information and can differ from "Whois-based domain age." Sender Maturity is set to a limit of 30 days, and beyond this limit, a domain is considered mature as an email sender, and no further details are provided.
>From this release onwards, an additional Sender Domain Reputation check is performed after the sender header of the message is received. Messages with a Threat Level that matches the configured SDR reject level (in your email gateway) are rejected.
