Support

Submit Support Ticket

Support Ticket General Information

Web Reputation Tickets

If you own or have come across a domain, URL, or IP that you believe has the incorrect reputation, please submit a reputation adjustment ticket. You must be logged into your account in order to submit a ticket. If you do not have a CCO ID through Cisco, you may create a free guest account. Up to 50 entries can be submitted at a time.

After you submit a ticket you can view its status on your My Tickets page.

Submit a Web Reputation Ticket

Sender IP Reputation Tickets

Customers that own or have come across an IP address with an incorrect sender reputation through Cisco Secure, or would like to lower a sender IP's reputation scoring in response to receiving malicious files, can submit a sender IP reputation ticket. You must be logged into your account in order to submit a ticket. If you do not have a CCO ID through Cisco, you may create a free guest account.

After you submit a ticket you can view its status on your My Tickets page.

Submit a Sender IP Reputation Ticket

Sender Domain Reputation Tickets

Customers that own or have come across an email domain with an incorrect sender reputation through Cisco Secure, or would like to lower a sender domain's reputation scoring in response to receiving malicious files, can submit a sender domain reputation ticket. You must be logged into your account in order to submit a ticket. If you do not have a CCO ID through Cisco, you may create a free guest account.

After you submit a ticket you can view its status on your My Tickets page.

Submit a Sender Domain Reputation Ticket

Content Categorization Tickets

If you own or have come across a domain, URL, or IP that you believe has been improperly categorized or is missing a category, please submit a categorization ticket. If you do not have a CCO ID through Cisco, you may create a free guest account. Up to 100 entries can be submitted at a time.

After you submit a ticket you can view its status on your My Tickets page.

Submit a Content Categorization Ticket

File Reputation Tickets

If you have come across a file that you believe has been improperly classified, please submit a file reputation ticket using a SHA256 hash of the file in question. If you do not have a CCO ID through Cisco, you may create a free guest account. Up to 50 SHA256 hashes can be submitted at a time.

After you submit a ticket you can view its status on your My Tickets page.

Submit a File Reputation Ticket

Email Status Portal

The Email Status Portal is a tool for monitoring the status of email submissions from Cisco customers. Cisco encourages customers who use Cisco Secure Email to submit spam/phish that bypassed current detection content, and ham, desirable email that was incorrectly filtered out, to improve overall efficacy. Cisco accepts these submissions through the Cisco email security plugin for Microsoft Outlook, or as emails forwarded as an attachment directly to email addresses based on their type (spam, ham, phish, virus, etc.). The Email Status Portal provides a way for customers to track the status of these submissions.

Email Status Portal

Submit Support Ticket

Why do I need to login to submit a ticket?

At Cisco Talos, we need customers to be able to provide feedback at all times, whether it be about false positives or negatives, or missed categories. Because we deal with an abundance of data across our platforms — such as IPS alerts, Cisco Secure Endpoint alerts and more — feedback helps us test the efficacy of those alerts and systems promptly.

The new dispute system links the dispute ticketing system and our analysts closely together. This allows greater interactivity between our analysts and customers, and gives customers the ability to log into their account on Talosintelligence.com and see the resolution of every dispute they have ever filed through the new system.

If a user does not have a CCO ID through Cisco, they will be asked to create a free guest account.

In order to submit a ticket, you must be logged into your Cisco account.

Common Questions

How do I do a Web or Email Reputation Lookup?

Use the Reputation Center Search box to look up email and web reputation information.

You can search using the following criteria:

IPv4 address for example, 198.133.219.25.
IPv6 address for example, 2001:420:1101:1::a.
CIDR range either IPv4 or IPv6, for example, 198.133.219.25/24 or 2001:420:1101:1::a/48.
Domain or Hostname for example, cisco.com or www1-v6.cisco.com. Internationalized names are also supported - for example, 达彼思.香港 or xn--03txn239i.xn--j6w193g.
URI for example, http://www.cisco.com/en/US/products/index.html.
Network Owner for example, Cisco Systems.
Country for example: United States.

Common Questions

What is the difference between Email Reputation and Web Reputation?

Talos Reputation Center email reputation is based on data for the IP address associated with a given email server. Talos Reputation Center web reputation is based on data for an entire domain and all associated IP addresses.

Common Questions

What are the Web Reputation Threat Levels?

Cisco Talos has updated our Web Reputation intelligence to use a more granular set of Threat Levels in order to better describe a website's or IP address's reputation. These levels describe a spectrum that characterizes the risk of visiting a website or IP address and is based on extensive telemetry and investigation. With this intelligence, users and analysts can more clearly distinguish established trusted sites and exceptionally untrusted sites from the lesser of both.

Legacy Verdict New Threat Level Description
Good
Trusted
Displaying behavior that indicates exceptional safety
Neutral
Favorable
Displaying behavior that indicates a level of safety
Neutral
Displaying neither positive or negative behavior. However, has been evaluated.
Questionable
Displaying behavior that may indicate risk, or could be undesirable
Poor
Untrusted
Displaying behavior that is exceptionally bad, malicious, or undesirable
Unknown
Unknown
Not previously evaluated, or lacking features to assert a threat level verdict

Common Questions

What do the Email Reputation Scores mean?

By tracking a broad set of attributes for email, the Talos Reputation Center supports very accurate conclusions about a given host. Sophisticated security modeling leverages the breadth of this data to generate a granular reputation score ranging from -10 (for the worst) to +10 (for the very best). On this page the granular reputation score is grouped into Good, Neutral and Poor for simplicity reasons.

Good Little or no threat activity has been observed from this IP address or domain. Email traffic is not likely to be filtered or blocked*.
Neutral This IP address or domain is within acceptable parameters. However, email traffic may still be filtered or blocked*.
Poor A problematic level of threat activity has been observed from this IP address or domain. Email traffic is likely to be filtered or blocked*.

*While many networks use the Talos Reputation Center as a means for assessing their email traffic, it does not block email or Internet traffic. If your email is being blocked or you feel it is not being delivered, you should check with your ISP.

Common Questions

How is Email Volume Magnitude calculated?

Similar to the Richter scale used to measure earthquakes, the Talos Reputation Center volume magnitude is a measure of message volume calculated using a log scale with a base of 10. The maximum theoretical value of the scale is set to 10, which equates to 100% of the world's email message volume. Using our log scale, a one point decrease in magnitude equates to a 10x decrease in actual volume.

For example, with a world wide daily volume of 200 billion messages/day a domain with a volume magnitude of 5 would have an estimated volume of 2,000,000/day while a sender with a volume magnitude of 6 would have an estimated daily volume of 20,000,000/day.

The following table illustrates the percentage of Internet email associated with each volume magnitude:

10.0 100%
9.0 10%
8.0 1%
7.0 0.1%
6.0 0.01%
5.0 0.001%
4.0 0.0001%
3.0 0.00001%
2.0 0.000001%
1.0 0.0000001%

Common Questions

What does 'Blocked: Too Many Requests' mean?

If you saw the message "Access Forbidden: Too many requests" you have surpassed the maximum number of queries allotted per user in a 24-hour time span. This web service is a free of charge, but for availability reasons each user is only granted a certain amount of queries per 24 hours.

We reserve the right to change the value for the maximum amount of queries at anytime to offer each user a highly available and fast service. In case of continued excessive use of this service we further reserve the right to block the offending IP permanently.

Common Questions

How current is the Reputation Lookup data?

The data presented on TalosIntelligence.com is refreshed every 3 hours. This schedule ensures faster query times and manages effective server load.

Common Questions

How do I do a File Reputation Lookup?

Talos File Reputation Lookup allows you to do casual lookups against the Talos File Reputation system. This system limits you to one lookup at a time, and is limited to only hash matching with SHA256 hashes. This lookup does not reflect the full capabilities of the Secure Endpoint system

Common Questions

How is the Talos Weighted File Reputation Score calculated?

Using automated intelligence that analyzes a myriad of file samples, the Talos Weighted File Reputation Score ranges from 0 to 100, with 100 being the most malicious. There are some known file types which score low, but are malicious in nature. For example, Adobe Flash files. Do not rely on this number alone as a indicator of maliciousness.

Common Questions

What are the two types of Web categories?

Talos supports two types of categories, both of which appear in the Reputation Center.

  • Threat Categories describe the reason(s) for a lower web reputation threat level. To dispute a Threat Category, submit a web reputation support ticket and select 'Suggest Threat Category' from the Suggested Reputation Changes column dropdown, then specify which Threat Categories you believe should be added or replaced. If you are unsure which new Threat Category should be applied, you may suggest the Malicious Sites Threat Category. Please supply additional details in the comment section to aid in investigation.
  • Content Categories characterize the general use of the website and are unrelated to any potential threats that the URL or IP may host. To dispute a content category, submit a content categorization support ticket.

Important notes:

  • A website can have both a threat category and a content category.
  • Some Cisco products may condense both types of categories together into the same field on their management consoles.To dispute a category, you may need to first identify the type of category being displayed and select the appropriate dispute portal that reports the type of category that you would like adjusted.
  • For more information, you can view lists of the supported threat categories and content categories.

Common Questions

Why can domain reputation be different than IP reputation?

When searching for a URL, TalosIntelligence.com does not calculate its reputation using a host’s resolving IP address, unlike our Cisco Secure Web Appliance (formerly WSA). This is by design, as Dynamic DNS can cause a domain’s resolving IP to change based on multiple factors. Having TalosIntelligence.com incorporate a domain’s resolving IP into its reputation can result in users receiving different reputations for the same domain.

When a reputation on TalosIntelligence.com is not matching what the customer sees on their end, we would suggest they use nslookup to find the resolving IP address of a domain and then search TalosIntelligence.com using the resolving IP. If the resolving IP is listed as "Untrusted," the domain is most likely being blocked because of this.

Common Questions

What should I do if there is a problem with my CEC ID, company name, or other account information?

To open a case related to CEC information, or to edit your own account details, please visit id.cisco.com

Support Tools

Application Visibility Control Portal

This tool allows users to search and filter applications supported by Cisco Secure Firewall and Cisco Secure Web Appliance. These products provide context-aware-capabilities for exceptional visibility and control so your enterprise can take advantage of new applications and devices without compromising security.

Email Reputation

Reasons for Neutral Email Reputation

A neutral email reputation can indicate one of two things:

  1. There are slight problems with the IP which are keeping it from having a better reputation
  2. There are very low levels of mail flow traffic reported for the IP by the Talos Reputation Center. Without sufficient email reports, the Reputation Center cannot accurately generate a reputation for the IP and assigns the IP a "Neutral" reputation.

Generally a neutral reputation is a very good thing, as the Reputation Center does not view the IP as a potential spam risk. The IP is considered within acceptable Talos Reputation Center parameters. Talos Reputation Center guidelines do not recommend blocking of emails from senders with neutral reputations.

Email Reputation

Reasons for Poor Email Reputation

Here are some common reasons why an IP might have a poor reputation:

  • There have been reports of spam from your IP. Look up your IP's reputation on Talos Reputation Center and check the "DNS Based Block Lists" area to see whether it is listed on any of the common DNSBLs.
  • Your IP exhibits DNS patterns that indicate compromise by a SpamBot. Make sure your DNS is configured according to the protocol for RFC5321, section 4.1.1.1 (https://www.ietf.org/rfc/rfc5321.txt)
  • Our sensors have received emails from your IP that contained links to domains hosting or distributing malware

If you know what your problem was and have fixed it, your score should improve automatically within 3-5 days. If your score does not improve within 3-5 days after you think you fixed the problem, please create a ticket and we'll investigate.

Email Reputation

Incorrect Network Owner of an IP Address

Talos Reputation Center displays the owner of the largest IP block to which an IP belongs. It may be that who seems to be the owner may actually be an org. which is renting IP space from the owner of the entire IP block. This is a very common practice. A whois query on the IP can corroborate the data provided by the Reputation Center.

If our data is incorrect, please note that the Talos Reputation Center contains information on over 32 million IP addresses that send email. It typically takes about 3 months for network owner and other contact/hostname information to be updated. Since there is no way to know the exact time the information for a given IP was updated, it is hard to predict how soon it will re-update. In any case, it should not be longer than 3 months.

Be assured that the information we list in the Network Owner is for information only and does not impact the IP's reputation. If an IP has a poor reputation, there's a different reason. See the "Reasons for Poor Email Reputation" FAQ for more information.

If a change is still needed, please file a ticket with our Contact Reputation Support form. Note: tickets about IPs with poor reputations take priority.

Email Reputation

Incorrect Hostname

If you recently changed your IP, then the Reputation Center data will update automatically as we receive samples of email with the new hostname. It doesn't affect your reputation. If you've had the IP for more than 3 months, please create a ticket with our Contact Reputation Support form and we will investigate.

Email Reputation

Reputation Recovery Time for IP

In general, once all issues have been addressed (fixed), reputation recovery can take anywhere from a few hours to just over one week, depending on the specifics of the situation and how much email volume the IP sends. Complaint ratios determine the amount of risk for receiving mail from an IP, so logically, reputation improves as the ratio of legitimate mails increases with respect to the number of complaints. Speeding up the process is not really possible. The Talos Reputation Center is an automated system over which we have very little manual influence.

In the meantime, if there are recipients whom you cannot contact, we would recommend contacting the ISP involved to request temporarily adding to Allow List or you can always arrange to contact the recipient via alternative means.

Email Reputation

Adjusting IP Score

No - the Talos Reputation Center is an automated system. All IPs are subject to the same reputation calculation standards. Manually adjusting a score would be contradictory to fair and equal assessment of all IPs.

Email Reputation

Purchase IP / Web Reputation Filtering

Presently we do not offer any such package. You may contact Cisco Sales and inquire about router and email appliance services which would offer you the protection of our IP (email) and URI (web) reputation systems.

Web Reputation

Reasons for Neutral Web Reputation

For a website to have a "trusted" reputation, we need to have substantial positive evidence over time. Consequently, the majority of websites have "neutral" reputations. The Talos Reputation Center guidelines do NOT recommend blocking of sites with neutral reputations.

Web Reputation

Reasons for Untrusted Web Reputation

There are many reasons why a URI or Webhosting IP can have an untrusted web reputation. If your website's reputation is untrusted and you are certain that your site is uncompromised, please file a support ticket with our Contact Reputation Support form and we will investigate.

Meanwhile, here are some simple "best practices" that will reduce the likelihood of problems:

  • Ensure that the IP addresses hosting the website are dedicated IP addresses. If the IP addresses change frequently, and if the site has an IP address that was hosting malicious content in the past, it can result in an untrusted web reputation.
  • Ensure that the content hosted by the website is fully owned and controlled by you and is clean.

Sender Domain Reputation

What is a Sender Domain Reputation Ticket versus a Sender IP Reputation Ticket?

The Sender IP Reputation tickets should only be used to dispute individual IP addresses that have been wrongly flagged as malicious or have been shown to be sending malicious content and are not being blocked. Sender Domain Reputation tickets are for specific email domains or email addresses and are processed differently than IP addresses.

Sender Domain Reputation

How long will it take to see a change in sender domain reputation after submitting a ticket?

Customers should receive an initial response within 24 hours, resolution time of a submitted ticket will vary.

Terms of Service

Description of Talos Reputation Center

The Talos Reputation Center is a traffic monitoring network. The Talos Reputation Center examines different parameters about email traffic and web traffic, including global sending volume, complaint levels, "spamtrap" accounts, whether a sender's DNS resolves properly and accepts return mail, country of origin, block list information, probability that URLs are appearing as part of a spam or virus attack, open proxy status, use of hijacked IP space, valid and invalid recipients, and other parameters. The Talos Reputation Center uses these parameters to provide comprehensive data to differentiate legitimate senders from spammers and other attackers.

License

Cisco grants you a limited, non-exclusive, non-transferable license to use the Talos Reputation Center strictly in accordance with these Terms.

Cookie Support

You must enable cookies in your web browser to use the Talos Reputation Center. A cookie is a file saved on your computer to identify your web browser. To enable cookies, please go to the options settings in your web browser.

Acceptable Use

The Talos Reputation Center and any information obtained from the Talos Reputation Center ("Materials") are for Your personal and non-commercial use in monitoring the reputation of Your network. You agree not to:

  • exceed 10 queries per minute per IP or subnet;
  • use any measure to circumvent this personal and non-commercial use limitation or other requirements in these Terms; or
  • modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer or sell the Materials or any information, software, products or features obtained from the Talos Reputation Center. This includes no "scraping" of the data.

If You use the Talos Reputation Center in violation of these Acceptable Use limitations, Cisco may suspend or terminate your access to the Talos Reputation Center.

No Unlawful or Prohibited Use

You agree not to:

  • use the Talos Reputation Center for any purpose that is unlawful or prohibited by these Terms;
  • use the Talos Reputation Center in any manner that could damage, disable, overburden, or impair any Cisco network, or interfere with any other party's use of the Talos Reputation Center;
  • attempt to gain unauthorized access to the Talos Reputation Center, through hacking, anonymous proxies, botnets, TOR exit nodes or any other means;
  • mask or otherwise conceal your true IP address and identity;
  • "scrape" or use any other automated means to retrieve the reputation data of the site;
  • obtain or attempt to obtain any Materials or information through any means not intentionally made available through the Talos Reputation Center; or
  • use the Talos Reputation Center if You are not permitted to do so under applicable law in the United States and the country where You reside, including under any export control laws governing the export of data or software,

Violations, including intellectual property infringement and security issues, will result in your use being limited, or blocked, and will be investigated by Cisco and prosecuted to the fullest extent of the law, whether civil or criminal. Cisco may involve and cooperate with law enforcement authorities in prosecuting users who violate these Terms.

Privacy

The Talos Reputation Center and any personal information you provide to Cisco in connection with your use of the Talos Reputation Center is subject to Cisco's Privacy Policy located at http://www.cisco.com/web/siteassets/legal/privacy.html, which is hereby incorporated into these Terms.

Indemnity

You agree to indemnify and hold Cisco, its affiliates, officers, and employees, harmless from any claim or demand, including reasonable attorneys' fees, made by any third party due to or arising out of Your use of Talos Reputation Center, Your violation of these Terms, or Your infringement of any third party's intellectual property rights.

Warranty Disclaimer

CISCO PROVIDES THE TALOS REPUTATION CENTER ON AN "AS IS," "WITH ALL FAULTS" AND "AS AVAILABLE" BASIS. CISCO MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE OPERATION OF THE TALOS REPUTATION CENTER, INCLUDING, WITHOUT LIMITATION, ITS ACCURACY, COMPLETENESS OR RELIABILITY, THAT THE TALOS REPUTATION CENTER WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS WILL BE CORRECTED. CISCO EXPRESSLY DISCLAIMS ALL WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD-PARTY RIGHTS, AND ANY WARRANTIES OF NON-INTERFERENCE OR ACCURACY OF INFORMATIONAL CONTENT. CISCO DOES NOT REPRESENT OR GUARANTEE THAT THE TALOS REPUTATION CENTER WILL BE FREE FROM LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING OR OTHER SECURITY INTRUSION, AND CISCO DISCLAIMS ANY LIABILITY RELATING THERETO.

Limitation of Liability

IN NO EVENT WILL CISCO OR ITS AFFILIATES BE LIABLE FOR ANY COSTS OF PROCUREMENT OF SUBSTITUTE PRODUCTS OR SERVICES, LOST PROFITS, LOSS OF INFORMATION OR DATA, OR ANY OTHER SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAMAGES ARISING IN ANY WAY OUT OF YOUR USE OF, OR INABILITY TO USE THE TALOS REPUTATION CENTER, EVEN IF CISCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THESE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU.

Changes to Terms

Cisco may update or otherwise modify these Terms and to apply new or additional Terms to the Talos Reputation Center. Such new or additional terms ("Additional Terms") will be effective immediately and incorporated into these Terms. Your continued use of the Talos Reputation Center will constitute your agreement to any such Additional Terms and the amendment of these Terms to incorporate such Additional Terms. You are responsible for regularly reviewing the Terms and any Additional Terms posted on the Talos Reputation Center.

Termination

Cisco may terminate these Terms, or terminate or suspend your access to the Talos Reputation Center at any time, with or without cause, with or without notice. Without limiting the foregoing, if you violate these Terms, we may end Your permission to use Talos Reputation Center. Upon such termination or suspension, your right to use the Talos Reputation Center will immediately cease. The termination of your permission to use the Talos Reputation Center shall not terminate any of these Terms which, by their nature, are intended to survive termination, including, but not limited to, those relating to indemnity, warranty disclaimer, limitation of liability, intellectual property rights and governing law and jurisdiction. You agree that Cisco shall not be liable to You for any suspension or termination of your access to the Talos Reputation Center.

Intellectual Property Rights

The Talos Reputation Center and any Materials are protected by copyright, trademark and other intellectual property rights. Cisco or its affiliates own the title, copyright, trademark and other intellectual property rights in the Talos Reputation Center. Except as specifically permitted by these Terms, no portion of the Talos Reputation Center may be distributed or reproduced by any means or in any form, without Cisco's prior written consent.

Governing Law and Jurisdiction

These Terms are governed by the laws of the State of California, without reference to conflict of laws principles, and any disputes arising hereunder are subject to the jurisdiction of the California state courts in Santa Clara County, or in the event of federal jurisdiction, the federal courts for the Northern District of California. You consent to the exclusive jurisdiction and venue of these courts. Cisco also reserves the right to initiate legal action before any court of competent jurisdiction to protect its intellectual property and other rights under these Terms. You acknowledge and agree that a breach or threatened breach of these terms would cause irreparable injury, that money damages would be an inadequate remedy, and that Cisco shall be entitled to temporary and permanent injunctive relief, without the posting of any bond or other security, to restrain You or anyone acting on your behalf, from such breach or threatened breach.

General Provisions

These Terms are the entire agreement between You and Cisco concerning Your use of the Talos Reputation Center, and supersede any and all prior or contemporaneous written or oral understandings with respect to this subject. Cisco may assign these Terms, in whole or in part, at any time with or without notice to You, but You may not assign these Terms or any rights hereunder. Any attempt by You to transfer, assign or delegate these Terms without Cisco's prior written consent shall be null and void. There shall be no third party beneficiaries to these Terms. If any of these Terms is held invalid or unenforceable, such invalidity or non-enforceability will not invalidate or render unenforceable any other of these Terms. Section headings in these Terms are solely for convenience of reference and have no legal or contractual significance. Cisco's failure to enforce any provision in these Terms will not constitute a waiver of such provision, or any other provision of such Terms. Cisco will not be responsible for failures to fulfill any obligations due to causes beyond its control. The provisions of these Terms governing disclaimers of warranties, liability limitation, indemnity obligations, intellectual property rights and governing law and jurisdiction shall survive expiration or termination of these Terms. Any rights not expressly granted herein are reserved.

Last updated March 1, 2012