Field Notice: FN - 72389 - Cisco Secure Email Gateway: Talos Domain Age Update - Configuration Change Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	26-Apr-22	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	AsyncOS for Secure Email	12	12.0.0, 12.1.0, 12.5.0, 12.5.3
NON-IOS	AsyncOS for Secure Email	13	13.5.1, 13.5.3
NON-IOS	AsyncOS for Secure Email	14	14.0.0

Defect Information

Defect ID	Headline
CSCwb32685	sdr-age values above 30 days deprecated

Problem Description

Cisco Talos has determined that the use of a domain age greater than 30 days does not improve threat detection. Cisco plans to make a retroactive backend service change to the domain age on October 24, 2022, which will result in a maximum domain age of 30 days. In order to avoid false positives and false negatives, or unintentionally block and allow email, cloud and on-prem customers who use a domain age of 31 days or greater in message and content filters must modify the filters to use domain ages of 30 days or less.

Background

As part of an ongoing effort to modernize infrastructure and improve efficacy, Cisco Talos will modify the domain age in order to more accurately capture the maturity of a domain. For more details on the change, see Configure Sender Domain Reputation for ESA.

Problem Symptom

The new limit to the Sender Domain Age in threat detection will have an impact in these cases:

• The Email Gateway has one or more message/content filters configured to match a Sender Domain Age greater than 30 days.

• Sender Domain Age data from the logs or message tracking data will be used to derive additional insights or other processing. For example, tracking events and mail logs would change as shown here:

  Before: Thu Apr  7 15:21:00 2022 Info: MID 25 SDR: Consolidated Sender Reputation: Neutral, Threat Category: N/A. Youngest Domain Age: 35 years 4 months 27 days for domain: cisco.com

  After: Thu Apr  7 15:21:00 2022 Info: MID 25 SDR: Consolidated Sender Reputation: Neutral, Threat Category: N/A. Youngest Domain Age: 30 days for domain: cisco.com

Workaround/Solution

If you have message filters, complete Solution 1. If you use message tracking or external log analysis, complete Solution 2. If you have message filters and use message tracking/external log analysis, complete solutions 1 and 2.

Solution 1. Message Filters

Change or remove message/content filter conditions which are configured to match a Sender Domain Age greater than 30 days, as appropriate to your environment.

Solution 2. Message Tracking or External Log Analysis

Adjust any usage of the logging or message tracking data, taking into consideration that the Sender Domain Age shall be limited to a maximum of 30 days. For example, if this logging or message tracking data is being ingested into external systems such as Security Information and Event Management (SIEM) tools and so on, the data would need to be adjusted accordingly, taking into consideration that domain age would be capped at a maximum of 30 days.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.