What is Sender Address Verification (SAV)?
SAV is one of the features used by the CyberHound Appliance to detect spam emails. SAV checks an email sender before it accepts an email from that address. On theCyberHound Appliance this is done by querying the remote email system to check that the sender address for the email is a deliverable email address. Each email is checked as it arrives, and email address results are temporarily cached on theCyberHound Appliance (approximately five days for valid addresses and approximately one hour for invalid addresses).
SAV is enabled on your CyberHound Appliance via Email Scanning > rules and Configuration > SMTP Server. The “Message detects as spam” criteria in a given email scanning rule may be configured to perform an SAV check, once SAV is turned on in the CyberHound Appliance SMTP Server configuration.
Sample SMTP Transaction Where Email PassesCyberHound Appliance SAV Check
Provided below is an example of a transaction where an email passes theCyberHound Appliance SAV query.
| Remote Server | Connects to the CyberHound Appliance |
|---|---|
| CyberHound Appliance | 220 sitekey.safenetbox.biz ESMTP |
| Remote Server | helo remotehost.com |
| CyberHound Appliance | 250 ok |
| Remote Server | mail from: |
The CyberHound Appliance will then connect to the senders’ email server to check if the sender’s address exists
| CyberHound Appliance | Connects to the mail server from remotehost.com |
|---|---|
| Mail Server | 220 server.remotehost.com ESMTP |
| CyberHound Appliance | helo remotehost.biz |
| Mail Server | 250 ok |
| CyberHound Appliance | mail from: |
| Mail Server | 250 ok |
| CyberHound Appliance | rcpt to: |
| Mail Server | 550 5.1.1. User unknown |
| CyberHound Appliance | disconnects from the mail server |
Because the senders address was valid, the email is allowed
| CyberHound Appliance | 250 ok |
|---|---|
| Renote Server | rcpt to: |
| CyberHound Appliance | 250 ok |
| Remote Server | data |
| … (message is sent) |
Sample SMTP Transaction Where Email Fails CyberHound Appliance SAV Check
Provided below is an example of a transaction where an email fails the CyberHound Appliance SAV query.
| Remote Server | Connects to the CyberHound Appliance |
|---|---|
| CyberHound Appliance | 220 sitekey.safenetbox.biz ESMTP Netbox |
| Remote Server | helo remotehost.com |
| CyberHound Appliance | 250 ok |
| Remote Server | mail from: |
The CyberHound Appliance will then connect to the senders’ email server to check if the sender’s address exists
| CyberHound Appliance | Connects to the mail server from remotehost.com |
|---|---|
| Mail Server | 220 server.remotehost.com ESMTP |
| CyberHound Appliance | helo sitekey.safenetbox.biz |
| Mail Server | 250 ok |
| CyberHound Appliance | mail from: |
| Mail Server | 250 ok |
| CyberHound Appliance | rcpt to: |
| Mail Server | 550 5.1.1. User unknown |
| CyberHound Appliance | disconnects from the mail server |
Because the senders address was invalid, the email is rejected before the DATA command
| CyberHound Appliance | 250 ok |
|---|---|
| Renote Server | rcpt to: |
| CyberHound Appliance | 550 |
| Remote Server | data |
| … (message is sent) |
The highlighted section shows the error the remote server gave when the CyberHound Appliance performed the SAV check. This will usually be a brief reason why the server did not accept the message (eg. User unknown).
How do I stop my email being blocked?
If genuine email is being blocked as spam due to SAV, this is because the sender’s address is not actually a deliverable email address. This may occur when an email is automatically generated and the sender address is not configured to accept replies.
If you are aware of a valid email that has been blocked in this way you can do either of the following:
- The preferred option is to notify the system administrator at the remote site. If the sender address is configured as a deliverable email address at that domain then it will no longer be blocked.
- If it is not possible to have the sender address properly configured then you can add it to the CyberHound Appliance SMTP server sender address white-list. This list can be edited via Configuration > SMTP Server.
The CyberHound Appliance can be configured to perform spam SAV checks on incoming email if required. If you wish to alter the SAV settings on your CyberHound Appliance refer to the email scanning rules that are configured, and the CyberHound Appliance SMTP Server configuration.
Common questions about SAV
Who else uses SAV?
SAV is becoming more common, so most companies now have systems in place that support SAV (i.e.: rather than sending emails from a fake email address, they now use a working address for things such as newsletters). Some large organisations that use it include University of Brighton, TPG and many others.
Won’t SAV produce a lot of extra traffic
SAV will increase the amount of email traffic, yes, however not a significant amount. In an absolutely worst case scenario, there will be one blank email for each email coming in to the organisation. In a typical case, each sender is checked, then the result is cached for over a month. This means that in a typical scenario, with regular contact, there will be at most 12 extra emails generated over an entire year. This is a very low volume compared with the massive amount of spam that it stops.
I don’t like SAV because it can be used to D.O.S. a server
Although technically correct, this is the same effect as when a bounce message is sent, so rather than getting an empty message, a real message is sent every time, loading up the server even more, and filling up the users in-box.