cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2506
Views
0
Helpful
6
Replies

Using IronPort Reputation Filters

I'm curious what types of policies the IronPort Nation has set up based on the SenderBase Reputation Score (SBRS)

With the release of AsyncOS 4.0, we changed the recommended score to block connections to -4 (from -7), but I've seen all types of policies. Please tell us what works for you!

- At what SBRS do you start blocking connections?
- Do you SMTP reject or TCP refuse connections?
- What score do you throttle on?
- What is the maximum number of recipients per hour you allow for your throttled policy?
- Do you have a policy to whitelist senders based on positive reputation scores?
- What % of connections are blocked or throttled using these policies?
- Have you experienced any false-positives?

cheers,
Craig

6 Replies 6

Erich_ironport
Level 1
Level 1

Craig,

I'll answer these staight out, but you may get more replies with a poll, it lets respondants be somewhat more anonymous. Answers at the end of the questions below.

- At what SBRS do you start blocking connections? -2
- Do you SMTP reject or TCP refuse connections? SMTP Reject
- What score do you throttle on? -2 to -0.4
- What is the maximum number of recipients per hour you allow for your throttled policy? 60
- Do you have a policy to whitelist senders based on positive reputation scores? bypass Brightmail over +4
- What % of connections are blocked or throttled using these policies? hard to say, I would estimate 50%
- Have you experienced any false-positives? not really false-positives, but some good senders with valid issues they needed to fix... :wink:

- At what SBRS do you start blocking connections? -5.0
- Do you SMTP reject or TCP refuse connections? TCP refuse
- What score do you throttle on? -3.0
- What is the maximum number of recipients per hour you allow for your throttled policy? 1
- Do you have a policy to whitelist senders based on positive reputation scores? no
- What % of connections are blocked or throttled using these policies? 40% blocked, 15% throttled
- Have you experienced any false-positives? none reported

+ Block connections at what SBRS: -4.0
+ SMTP reject or TCP refuse: SMTP reject, but I've never looked into the advantages of the latter
+ Throttle connections at what SBRS: -3.9
+ Maximum recipients per hour for THROTTLE: 3
+ Whitelist based on SBRS: No
+ Percent of connections affected by these policies: Not many, to be honest. I have a massive list of CIDR blocks that are "drop on sight" and that kills approximately 77.5% of our connections during the week.
+ Does SBRS cause false positives: Not for us.

I use this filter to tag messages with low reputation scores. It doesn't stop them, but makes them easier to pick out or filter at the client. Being a retailer, I have to be very careful to not filter any emails from customers.

bad_rep: if reputation < -7.0 {
strip-header("Subject");
insert-header("Subject", "BAD REP: $Reputation -- $Subject");
}


Mike

ian_ironport
Level 1
Level 1

- At what SBRS do you start blocking connections? -7
- Do you SMTP reject or TCP refuse connections? Reject
- What score do you throttle on? -0.5 to -7
- What is the maximum number of recipients per hour you allow for your throttled policy? 1000 (but I think this is way too high!)
- Do you have a policy to whitelist senders based on positive reputation scores? Yes , SBRS +6 upwards
- What % of connections are blocked or throttled using these policies? Hard to say, but surprisingly few I think.
- Have you experienced any false-positives? No

- At what SBRS do you start blocking connections? -3.0
- Do you SMTP reject or TCP refuse connections? TCP refuse
- What score do you throttle on? -2.0
- What is the maximum number of recipients per hour you allow for your throttled policy? 10
- Do you have a policy to whitelist senders based on positive reputation scores? no
- What % of connections are blocked or throttled using these policies? ~55
- Have you experienced any false-positives? none reported

Jim