Solved: Hi, Vishnu

vishnurnth1 · ‎09-04-2016

Hi All,

We are receiving Spam emails with blank TO address, is there any way we can Quarantine those mails in Cisco ESA.

Eg:

From : test@domain.com

To:

Date : 03/09/2016 11:00 AM

Subject : Payment

Thank you,

Vishnu

dmccabej · ‎09-04-2016

Hello Vishnu,

I'm assuming you're referring to the blank friendly 'To:' field that is visible in the mail client (IE: Outlook) and not the actual 'Rcpt To:' field, correct?

This can be accomplished via a Content Filter to look for the following condition : Other Header --> name 'To' --> Does not contain --> .

Keep in mind this may also impact CC/BCC type emails, so you may wish to test before pushing to a production environment. You could also add further conditions to narrow down the scope if need be.

Then of course, all you need to do is add the needed actions. (IE: Quarantine / Log entry / ETC)

Thanks!

-Dennis M.

View solution in original post

jramondi · ‎09-04-2016

Hi, Vishnu

In order to block emails with the 'To' header empty, you can implement the following message filter. It will look for any email in which the 'To' header value was not entered.

====================

To_Header_Empty:
if (header("to") == "^$") {
quarantine("Policy"); }

====================

I ran a test with the above filter in place, and it worked as expected:

====================

250 mail.labesa.com
mail from: test@cisco.com
250 sender <test@cisco.com> ok
rcpt to: jramondi@cisco.com
250 recipient <jramondi@cisco.com> ok
data
354 go ahead
From: test@domain.com
To:
Date: 03/09/2016 11:00 AM
Subject : Payment

Cisco test

====================

Sun Sep 4 14:41:03 2016 Info: Start MID 96234 ICID 279178
Sun Sep 4 14:41:03 2016 Info: MID 96234 ICID 279178 From: <test@cisco.com>
Sun Sep 4 14:41:07 2016 Info: MID 96234 ICID 279178 RID 0 To: <jramondi@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 Message-ID '<9ef2aa$2tva@mail.coesa.com>'
Sun Sep 4 14:41:16 2016 Info: MID 96234 ready 206 bytes from <test@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 matched all recipients for per-recipient policy DEFAULT in the outbound table
Sun Sep 4 14:41:16 2016 Info: MID 96234 DLP no violation
Sun Sep 4 14:41:16 2016 Info: MID 96234 quarantined to "Policy" (message filter:To_Header_Empty)
Sun Sep 4 14:41:16 2016 Info: Message finished MID 96234 done

====================

I also tested the filter with emails that did contain a 'To' header specified, and they were successfully delivered.

In addition, i strongly recommend you to report these emails to our AntiSpam team, so we can adjust the rules on our AS engine in order to stop these threats in the future. I have attached a document explaining this procedure.

Regards,

Juan C

View solution in original post

dmccabej · ‎09-04-2016

Hello Vishnu,

I'm assuming you're referring to the blank friendly 'To:' field that is visible in the mail client (IE: Outlook) and not the actual 'Rcpt To:' field, correct?

This can be accomplished via a Content Filter to look for the following condition : Other Header --> name 'To' --> Does not contain --> .

Keep in mind this may also impact CC/BCC type emails, so you may wish to test before pushing to a production environment. You could also add further conditions to narrow down the scope if need be.

Then of course, all you need to do is add the needed actions. (IE: Quarantine / Log entry / ETC)

Thanks!

-Dennis M.

vishnurnth1 · ‎09-04-2016

Thanks Denis,

dmccabej · ‎09-04-2016

You're very welcome !

Obviously as you can see there's typically more than one way to accomplish things on the ESA.

Be sure to keep in mind that message filters impact both inbound and outbound traffic, so you may want to include other conditions like I mentioned with the content filter.

(IE: Sender Group and Listener matching)

Thanks!

-Dennis M.

jramondi · ‎09-04-2016

Hi, Vishnu

In order to block emails with the 'To' header empty, you can implement the following message filter. It will look for any email in which the 'To' header value was not entered.

====================

To_Header_Empty:
if (header("to") == "^$") {
quarantine("Policy"); }

====================

I ran a test with the above filter in place, and it worked as expected:

====================

250 mail.labesa.com
mail from: test@cisco.com
250 sender <test@cisco.com> ok
rcpt to: jramondi@cisco.com
250 recipient <jramondi@cisco.com> ok
data
354 go ahead
From: test@domain.com
To:
Date: 03/09/2016 11:00 AM
Subject : Payment

Cisco test

====================

Sun Sep 4 14:41:03 2016 Info: Start MID 96234 ICID 279178
Sun Sep 4 14:41:03 2016 Info: MID 96234 ICID 279178 From: <test@cisco.com>
Sun Sep 4 14:41:07 2016 Info: MID 96234 ICID 279178 RID 0 To: <jramondi@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 Message-ID '<9ef2aa$2tva@mail.coesa.com>'
Sun Sep 4 14:41:16 2016 Info: MID 96234 ready 206 bytes from <test@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 matched all recipients for per-recipient policy DEFAULT in the outbound table
Sun Sep 4 14:41:16 2016 Info: MID 96234 DLP no violation
Sun Sep 4 14:41:16 2016 Info: MID 96234 quarantined to "Policy" (message filter:To_Header_Empty)
Sun Sep 4 14:41:16 2016 Info: Message finished MID 96234 done

====================

I also tested the filter with emails that did contain a 'To' header specified, and they were successfully delivered.

In addition, i strongly recommend you to report these emails to our AntiSpam team, so we can adjust the rules on our AS engine in order to stop these threats in the future. I have attached a document explaining this procedure.

Regards,

Juan C

vishnurnth1 · ‎09-04-2016

Thanks Juan, Will try the above and update the status, also will report this email to Cisco AntiSpam Team, Thank you,

-Vishnu

jramondi · ‎09-04-2016

You're more than welcome, Vishnu

Kind regards,

-Juan C

Block Emails with Blank TO Section