Overview of Sender Domain Reputation Filtering
Cisco Talos Sender Domain Reputation (SDR) is a cloud service that provides a reputation verdict for email messages based on a sender’s domain and other attributes.
The domain-based reputation analysis enables a higher spam catch rate by looking beyond the reputation of shared IP addresses, hosting or infrastructure providers, and derives verdicts based on features that are associated with fully qualified domain names (FQDNs) and other sender information in the Simple Mail Transfer Protocol (SMTP) conversation and message headers.
For more information, see the Cisco Talos Sender Domain Reputation (SDR) white paper in the Security Track of the Cisco Customer Connection program at http://www.cisco.com/go/ccp.
Note |
|
SDR Verdicts
The following table lists the SDR verdict names, descriptions, and recommended actions:
Verdict Name |
Description |
Recommended Action |
---|---|---|
Awful |
The worst reputation verdict. Expect to see false-negatives (FN) if the blocking threshold is set to only this verdict, which prioritizes delivery over security. |
Block the message. |
Poor |
The recommended blocking threshold. This balances the trade-offs between false-negatives (FN) and false-positives (FP). Talos tunes SDR so that messages that are blocked by SDR have either a poor or awful verdict. Not blocking on this verdict prioritizes delivery over security, but it results in false-negatives that the customer accepts when not blocking based on this verdict. |
Scan the message with the other engines configured on your email gateway. |
Tainted |
The sender reputation is suspect. Blocking based on these verdicts is aggressive and not recommended by Talos. It promotes security over delivery, but it results in false-positives that you can accept when blocking based on this verdict. |
Scan the message with the other engines configured on your email gateway. |
Weak |
A common verdict for many domains (including legitimate and mixed-use) associated with weak indicators that preclude a neutral verdict. Talos does not recommend blocking on this verdict. While this prioritizes security over Delivery, it results in an unacceptable number of False-Positives (as per Talos) when you block messages based on this verdict. |
Scan the message with the other engines configured on your emal gateway. |
Unknown |
The sender is using a newly registered domain or one that SDR does not otherwise recognize. For domains in this undetermined state, Talos performs further analysis to establish a verdict quickly. Talos does not recommend blocking on this verdict. Blocking on this verdict results in many False Positives that you accept when adjusting their threshold to this verdict. Talos recommends quarantining messages with a verdict of “unknown.” The message delivery is slightly delayed to allow time for Talos to investigate the domain before scanning the message with subsequent engines. |
Scan the message with the other engines configured on your emal gateway. |
Neutral |
The normal expected verdict when the sender is using a domain that is not new and adheres to the sender best practices. The following are the sender best practices - using SPF, DKIM-signing, not sending spam, etc. |
Scan the message with the other engines configured on your emal gateway. |
Good |
A rare verdict that indicates the sender is using a certified domain where messages are DKIM signed (aligned on the “ |
Scan the message with the other engines configured on your emal gateway. |