Reputation Filtering

Similar Messages

• Recent decrease in Reputation Filtering

  Beginning yesterday (Nov 13) at about 17:00 eastern time, we have seen a drastic decrease in messages stopped by Reputation Filtering and an large increase in Spam Detected. The drop is from about 97% to 89%. Spam Detected has risen from 1.4% to 7.6%
  Anyone else seeing this occur? We are using V5.1.2 of AsyncOS.

  The efforts of security researchers have resulted in Mc Colo's hosting service being stopped, and this has resulted in far less spam being sent. :) However, it won't last long. Witihin a couple of wweks, the spam levels will be back to usual...
  http://www.eweek.com/c/a/Security/Notorious-Web-Hosting-Service-Linked-to-Spam-Campaigns-Goes-Offline/
  http://www.senderbase.org/home/detail_spam_volume?displayed=lastmonth&action=&screen=&order=
  Which is about now.. I can point to www.senderbase.org and more specifically to : http://www.senderbase.org/home/detail_spam_volume
  looks like spam has returned to its "normal" volumes.

• MARS 6.0.4 reporting for IPS 7.0 Global Correlation Reputation Filtering

  Does anyone know if there is a report available in MARS to see what IP addresses were denied by Reputation Filtering on IPS 7.0?
  I found a report that shows attacks that were prevented due to global correlation score, but not for packets denied by Reputation Filtering.
  Replies are greatly appreciated.
  Thanks,
  Mark

  Thanks for the reply, but what I am looking for is reporting on what packets were dropped with Reputation Filtering(doesn't have a report in MARS) Not the GLobal Correlation risk rating blocks(Which does have a report available in MARS).

• Global correlation / reputation filtering in monitoring mode

  We use Cisco appliances primarily in monitoring mode.  We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc).  Is it even possible to use either of these features for this purpose?  According the the following document is appears there may not be alerts for packets denied before signature analysis.  Surely that can't be???
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1067283
  "Note This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched. It does not apply to reputation filtering where the packet is denied before signature analysis, and no alerts are generated when packets are denied by reputation filtering. "

  Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet".   Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still works this way? I'm sorry to sound like an arse, but I am so completely frustrated with the value we get out of these appliances.  Apparently, the ASA botnet functionality can do what we want, but not the stand alone IPS appliance....come on Cisco.

• Counter changed in 6.0.0-745 for 'Reputation Filtering'?

  After upgrading to 6.0.0-745 we noticed that the amount of incoming mails for 'Stopped by Reputation Filtering' is 3 x higher then before with version 5.5.1-011.
  We can see the jump to the 3x higher level for the time after the upgrade.
  We have checked the 'Configure Sender Reputation Multiplier' in the CLI, but this value is still on 1.
  Has something changed on counting this number?

  After the upgrade on the second machine, we can see this behaviour again. Maybe this picture can help to understand:
  [URL=http://img393.imageshack.us/my.php?image=67250759li9.jpg][img:614f2a26ad]http://img393.imageshack.us/img393/3057/67250759li9.th.jpg[/img:614f2a26ad][/URL]
  We can't believe, that the amount of
  - Stopped by Reputation Filtering
  and
  - Stopped as Invalid Recipients
  has more then doubled after the lunch (upgrade-time on 11.4.2008) :wink:

• Bypass reputation filtering

  Dear All
  i am a new user for ironport, would like to check with you all how do i set bypass a few domain from reputation filtering. There are a few client facing a problem sending mail to us was block my reputation filtering. the problem is sender mail was hosted by someone, and the sending IP is dynamic. please advice.
  regards
  Anthony

  In addition, I wanted to add to the post, on how to best detect what hostname/domain/ip address to add to this sendergroup.
  Like the previous post mentioned, you'll want to create a new sendergroup and possibly label it "Bypass_SBRS_scoring". Because the mail that you're mentioning is getting blocked, you may want to position this new sendergroup above the "Blacklist" sendergroup. Note, when incoming connections occur, the HAT Overview works in a top-down environment. In other words, it will start at the top and move on down until there's a match or else go into the default of all.
  To add a domain or company as a sender in this new sendergroup, you'll need to add either the hostname, IP address, or IP address range. When you add a sender, there is a little question mark that details how you can add the sender. This is what the help says,
  Enter the hosts to add. CIDR addresses such as 10.1.1.0/24 are allowed. IP address ranges such as 10.1.1.10-20 are allowed. IP subnets such as 10.2.3. are allowed. Hostnames such as crm.example.com are allowed. Partial hostnames such as .example.com are allowed.
  How to locate the hostname or IP address of a sender
  - When customers have difficulty obtaining the hostname or ip address of a sender to add to a sendergroup.
  - Trying to obtain the SBRS score of a connecting server
  How to search in the logs for the IP or hostname of a sender:
  You want to find out the IP address or hostname of the sender called of the sender called "[email protected]".
  1. From the command line, type:
  ironport> grep -i "test.com" mail_logs
  Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from
  2. Then search for the "MID 28"
  ironport> grep -i "MID 28" mail_logs
  Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
  Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
  Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
  Fri Sep 7 10:06:13 2007 Info: MID 28 Subject 'testing 123'
  Fri Sep 7 10:06:13 2007 Info: MID 28 ready 77 bytes from
  Fri Sep 7 10:06:13 2007 Info: MID 28 matched all recipients for per-recipient policy DEFAULT in the inbound table
  Fri Sep 7 10:06:13 2007 Info: MID 28 interim verdict using engine: CASE spam negative
  Fri Sep 7 10:06:13 2007 Info: MID 28 using engine: CASE spam negative
  Fri Sep 7 10:06:13 2007 Info: MID 28 interim AV verdict using Sophos CLEAN
  Fri Sep 7 10:06:13 2007 Info: MID 28 antivirus negative
  Fri Sep 7 10:06:13 2007 Info: MID 28 queued for delivery
  Fri Sep 7 10:06:14 2007 Info: Delivery start DCID 477 MID 28 to RID [0]
  Fri Sep 7 10:06:14 2007 Info: Message done DCID 477 MID 28 to RID [0]
  Fri Sep 7 10:06:14 2007 Info: MID 28 RID [0] Response 'ok: Message 57897990 accepted'
  Fri Sep 7 10:06:14 2007 Info: Message finished MID 28 done
  3. From the MID output, you grep for the ICID to get the hostname or IP address of the connecting server.
  ironport> grep -i "ICID 10" mail_logs
  Fri Sep 7 10:05:42 2007 Info: New SMTP ICID 10 interface Management (172.19.0.146) address 10.1.1.209 reverse dns host outgoing232.ispserver.com verified yes
  Fri Sep 7 10:05:42 2007 Info: ICID 10 ACCEPT SG SUSPECTLIST match 10.1.1.209 SBRS 1.2
  Fri Sep 7 10:05:51 2007 Info: Start MID 28 ICID 10
  Fri Sep 7 10:05:51 2007 Info: MID 28 ICID 10 From:
  Fri Sep 7 10:05:56 2007 Info: MID 28 ICID 10 RID 0 To:
  Fri Sep 7 10:06:14 2007 Info: ICID 10 close
  4. The information that I have put in BOLD above displays the information that you want.
  The IP address is: 10.1.1.209
  The hostname of the connecting server is: outgoing232.ispserver.com
  The SBRS score of the connecting IP is: 1.2
  The sendergroup that was matched was: Suspectlist
  172.19.0.146 is the IP of your Ironport appliance.
  So, if you wanted to whitelist the sender, [email protected] or test.com, you would add any of these to the Sendergroup:
  10.1.1.209
  outgoing232.ispserver.com
  .ispserver.com
  Use ".ispserver.com" when there are multiple outgoing servers and you want to wildcard them.

• A "Web Reputation Filters" key was downloadedfrom the Cisco Ironport key server.....

  Recently we received an alert from our Ironport S370 appliance indicating that a new Web Reputation Filters key had been downloaded and placed into the pebnding area: EULA acceptance required. This key shows a 256 days validity however our current key still has 250 days left on it..... Why would a new key be downloaded when the old one still has so much time left on it? My undestanding is that a key is just used to enable a feature but being that the feature is already enabled and has several months of validity why would a new key be needed? I find it a little strange.
  Thanks

  When Web Reputation Filters (WBRS) expired, all web sites that accessed using WSA as Web proxy will not get any reputation score and the filtering in WSA policies based on reputation score will not function therefore if for example accessing web site that has bad reputation score and should be blocked automatically by WSA when WBRS in functioning will not happened and all sites will be accessible without reputation score filtering (expose threats and strongly recommend to validate the feature keys).

• Reputation Filtering Rejecting a valid Host

  We have a company that is not able to email us. Our ironport server says their reputation status is poor and is rejecting the message.
  If you go to senderscore.org and enter the ip addresses of their server they are all 95-100 score rating.
  Why are we rejecting their email?
  I was able to get around this by add them to the whitelist.

  this host is a 'poor' score for a reason - whether it's quasi-legitimate spam / marketing mail or a sharp statistical increase in mail volume over a short period due to some bot net or virus traffic - there's not supposed to be any misinformation or false positives. there are many reasons or factors that contribute to the score, which is mostly confidential for us (IronPort). we can tell you that it is a rolling average that is continuously correcting itself.
  many cusgtomers are comfortable referring their partners or owners of incoming MTAs that have been rejected by SBRS to just RTM at senderbase.org and contact SB support teams for more info.
  so in short, if you 'trust' this MTA and they don't want to contact SenderBase for help, then yes, manually add it to the whitelist. occasionally whitelisting is easier than constantly blacklisting, which is why senderbase is so cool / popular.
  more info on senderbase.org and our 'Sender Base Reputation Score':
  Sender Base Best Practices / Overview:
  http://tinyurl.com/lvuub
  Tips on Low Scores:
  http://tinyurl.com/zfczg
  andrew

• SA 520 Problems - Virus & Spams

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tableau Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  We have a SA520 security appliance, and I have several problems to configure it, mainly with spams.

  Absolutely we will help you.
  The SA500 series comes with the ability to purchase a license upgrade for Trend Micro protect Links Gateway (Cloud Service).  It allows:
  - Web Reputation Filtering (keeps clients off sites with malware and known virus distribution
  - Content Filtering (by Category) set on the SA500 with up to 80 'categories' (dont have to program a list if URLs).
  - EMAIL SPAM Prevention - Proxy your mail MX records to Trend and they remove SPAM before delivering.
  You will find in reading the latest datasheet and SB PRO Ordering Guide found on Partner Central, that the licenses are offered in two modes (with our without the EMAIL) and we have some very attractive pricing on a new set of 'bundles' of software for this offering.
  Please check it out.
  But here is a lab I wrote showing how to enable Trend Micro on the SA500:
  https://supportforums.cisco.com/docs/DOC-9777
  let me know if you need more.
  Steve

• Filter based group - viewing contents

  Hi,
  I'm trying to figure out how to see if a filter defined group on a Sun One 5.2 Directory server is getting the objects required.
  The filter group was defined by someone else. I've got several LDAP search tools available to me, but can't get results that I expect.
  The group is defined as:
  objectClass: top
  objectClass: groupofuniquenames
  objectClass: groupofurls
  memberURL: ldap:///ou=People,dc=app,dc=sample,dc=com??sub?(&(objectclass=person)(uid=*)(ntuserdomaindi=*sample*))
  cn=Employees
  The group is defined in the tree as:
  cn=Employees,ou=Groups,dc=app,dc=sample,dc=com
  My expectation, using ldp, ldapsearch, or Softerra's LDAP Browser, is that when I attempt to open the tree looking at the 'Employees' group, I would see a list of the objects that the filter selected. I Don't see any thing.
  Am I looking this in a WRONG way, or is my query not working?
  TIA, Scott

  That's correct, senderbase reputation filtering occurs very early on. At the IP/TCP level of a connection. To get more info on this, check out the user guide on HAT Overview.
  Since senderbase reputation filtering occurs early on, even before the mail-from/rcpt-to/subject information are obtained, it is too late to enforce LDAP settings.
  However, what you can do with ldap is verify if the sender or recipient are a member of a certain group and then disable anti-spam/anti-virus/content filtering from their email. You would use ldap-from-group in conjunction with incoming or outgoing mail policies.
  To make an email immune from senderbase reputation filtering, you would need to know the IP/hostname/partial hostname of where their message is coming from and add that info to the whitelist sendergroup in the HAT overview.
  Is it possible to completely disable the reputation filter based on whether the recipient is in a certain LDAP group?
  I'm currently thinking no as LDAP groups are assigned a message filter and by this point in the pipeline the reputation filter has already been applied.
  Perhaps someone more experienced can confirm/disprove this for me?

• IronPort Email get message size statistic for some period

  How can I get SUM of message size for incoming and outgoing messages.
  Something like:
  Message   Category
  Messages
  Message Size
  Stopped by   Reputation Filtering
  21,7%
  100
  Stopped as   Invalid Recipients
  17,4%
  80
  Spam Detected
  10,9%
  50
  Virus Detected
  4,3%
  20
  Stopped by   Content Filter
  2,2%
  10
  Total Threat   Messages:
  56,5%
  260
  Clean Messages
  43,5%
  200
  Total   Attempted Messages:
  460

  Hi Juraj,
  the message size for the "Monitor - Overview" reporting page is not included. Only on the "Monitor - Incoming Mail" you will find the total message size per domain. Maybe you find something here, e.g. spamtowho which might be of help:
  BR
  Enrico

• Global correlation events

  I have an ASA 5510 with an SSM-10 module. I have global correlation turned on and updating. When I look at the dashboard's "Global Correlation Report" I see packets that have been denied by global correlation. Can someone tell me how global correlation events are logged? I'd like to be able to see the raw data associated with the global correlation.
  Thanks.

  Hi,
  Take a look at this:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809
  As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation  inspection where the traffic is allowed if no specific signature is  matched".
  I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.
  Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.
  Rregards,
  Prapanch

• How many license do I need with a cluster of 2x ESA?

  Hi there,
  I would like to implement a cluster of 2x Cisco IronPort ESA appliances in an Active/Active manner.
  It requires 4000 mail users, so how many license on each ESA appliance do I need to install? I suppose 2000 on each ESA.
  When one of the ESA fails, is it possible for the remaining one to handle the load of 4000 users?
  I am pretty new to this field. Please help.
  Thanks and Regards,
  Tuan, CCIE #26930

  Dear Tuan,
  For 4000 user size, you can purchase a dual appliance bundle with 1, 3 or 5 year license with 4000 mailbox licenses. You will be given 2 x C370 with Centralized Management license (together with licenses of your bundled feature set).
  You can run both in active/active configuration. With centralized management license, both can be formed as a cluster and you can manage the cluster configuration over web interface of one of the appliances.
  Regarding whether one unit can handle the load, it will depend on your traffic load (peak message per hour, average message size, antispam, antivirus, outbreak filter, DLP, encryption, content filters, etc.). In my experience, one C370 should be able to handle traffic of similar size enterprise.
  With SenderBase reputation filtering, you should already throttle/block 90+% of bad traffic coming from poor/bad reputation IP hosts. You can also make sure of the new AsyncOS 7.6 'rate limit for envelope sender' to throttle mass mailing attack of same sender (also internal outbreak emails).
  Please get in touch with your partner for the details and they can also show you a demo. You can also get a evaluation unit from our partner to put it live. We can configure IronPort to be almost transparent on top of your existing mail gateway/server to prove its performance, antispam efficacy and other email security features.
  Cheers,
  Tommy

• Cisco IPS (global correlation) is downloading lots of updates from the iron-port website

  I have query on Global correlation.
  Following is the observed behavior
  Scenario 1:
  Global Correlation Inspection: ON (Standard)
  Reputation Filter: ON
  Result: Global correlation downloads in bytes or KBs (observed on proxy)
  Scenario 2:
  Global Correlation Inspection: OFF
  Reputation Filter: ON
  Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
  This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
  Request you for your prompt response.
  Regards,
  Neal

  Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.

• Global Correlation and Network Participation - what's the value of it ???

  Hi security gurus!
  Can someone please shed me more light on the value of Global Correlation and Network Participation available at IPS 7.x
  We've enabled it on the clients IPS appliances and now the only information I see is some cryptic reports seen at IDM gadgets.
  It says that the reputation filtering is 100% under Percentage of malicious packets indentified. So what ?
  How would I know exactly what those packets are and where did they come from?
  Other metrics are Global Correlation inspection and Traditional IPS Detection techniques are 0%
  What does it mean? Doesn't something work ? Why are they 0% ?
  How is this normally sold to the customer if there's no credible information about it?
  Eugene

  Hi,
  I think this link will help you http://docs.oracle.com/cd/B14117_01/network.101/b10776/listener.htm