Email blacklisting

- [Instructor] Let's look at blacklisting, a sender using Cisco ESA. If we go under our main mail policies tab at the top we can see a section for the host access table or HAT. Let's click the hat overview and we'll see that we have an overview of our default sender groups listed here. Notice we have a reputation score listed here in the middle a sender base reputation score. This uses sender base as a reputation service to enable us to control messages based on the trustworthiness of the sender. When the ESA receives messages from known or highly reputable senders they're going to be delivered directly to the user without any content scanning, however messages with unknown or less reputable scores they will have anti-spam and antivirus scanning performed. You can see that this ranges from negative 10 to positive 10, with 10 of course being the most trusted. We also see our current default mail flow policies in place. Trusted, blocked, throttled, and accepted. If we click on the blocked instance inside the black list row, let's take a look under there. We can see these policy settings and we can edit those accordingly. Let's go back and look at our sender groups. So we'll take a step backwards here. And we see our sender groups are white list, blacklist, suspect list and unknown list. These are the groups that the senders will be sorted into based on their reputation score. And we can go in and manually blacklist or white list senders. So if we click on our blacklist, we're going to see the sender group list settings for this list. We see the name of that. We see the order that is processed in. We have some comments, the policy is set to blocked and we see that the SBRS the sender based reputation score is going to range from negative 10 to negative three. Now we have the ability also to optionally connect an external threat feed if we choose to do that. Down at the bottom the way that we can add a blacklisted sender is to simply click the add sender button. When we do that, we have the option to do that by IP addresses or by geo location. If we're having a particular problem with senders from a specific country. And we know for sure that we don't do any business with that particular country we might blacklist in this manner. If we choose the IP addresses area the easiest way to blacklist a sender is to add their IP address or domain name here. Note that the IP address or domain name used is going to be from the sending mail server. These can be discovered from message tracking or from the mail logs. If we click the question mark here, besides sender we're going to get some information about the formats we can use. We can use IP version four or IP version six addresses individually. We can declare an entire subnet. We can set up an address range, or we can use host names either full host names or a partial host names. Let's say we wanted to block all emails from the domain example.com. We would simply go into this box and enter that. So we can say example.com as our domain and we can click the submit button on the right once we do that, you'll see that our sender list is now updated with our single entry for example.com. This being a lab appliance, we have basically no data in any of our sender lists, by the way but in an actual production environment where we have real mail flow, these lists are going to auto-populate as they are introduced into production. And as they begin to see trusted and untrusted senders. And of course, if we want to delete a sender from here we can simply choose the tick box to the right and click the delete button. We're asked to confirm that and that will allow us to delete any sender who has been unintentionally added into the blacklist. Similarly, if we go back to our mail policies and we look at our HAT overview, if we wanted to white list a user we can click on the white list user group and add sender. And of course we can do the exact same process that we looked at for blacklisting. So that's a look at how we can blacklist an email sender on the Cisco ESA.