cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
6
Replies
Highlighted
Beginner

Block Emails with Blank TO Section

Hi All,

We are receiving Spam emails with blank TO address, is there any way we can Quarantine those mails in Cisco ESA.

Eg:

From : test@domain.com

To:

Date : 03/09/2016 11:00 AM

Subject : Payment

Thank you,

Vishnu

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Hello Vishnu,

Hello Vishnu,

I'm assuming you're referring to the blank friendly 'To:' field that is visible in the mail client (IE: Outlook) and not the actual 'Rcpt To:' field, correct?

This can be accomplished via a Content Filter to look for the following condition : Other Header --> name 'To' --> Does not contain --> .

Keep in mind this may also impact CC/BCC type emails, so you may wish to test before pushing to a production environment. You could also add further conditions to narrow down the scope if need be.

Then of course, all you need to do is add the needed actions. (IE: Quarantine / Log entry / ETC)

Thanks!

-Dennis M.

View solution in original post

Highlighted
Cisco Employee

Hi, Vishnu

Hi, Vishnu

In order to block emails with the 'To' header empty, you can implement the following message filter. It will look for any email in which the 'To' header value was not entered. 

====================

To_Header_Empty:
if (header("to") == "^$") {
quarantine("Policy"); }

====================

I ran a test with the above filter in place, and it worked as expected:

====================

250 mail.labesa.com
mail from: test@cisco.com
250 sender <test@cisco.com> ok
rcpt to: jramondi@cisco.com
250 recipient <jramondi@cisco.com> ok
data
354 go ahead
From: test@domain.com
To:
Date: 03/09/2016 11:00 AM
Subject : Payment

Cisco test

====================

====================

Sun Sep  4 14:41:03 2016 Info: Start MID 96234 ICID 279178
Sun Sep  4 14:41:03 2016 Info: MID 96234 ICID 279178 From: <test@cisco.com>
Sun Sep  4 14:41:07 2016 Info: MID 96234 ICID 279178 RID 0 To: <jramondi@cisco.com>
Sun Sep  4 14:41:16 2016 Info: MID 96234 Message-ID '<9ef2aa$2tva@mail.coesa.com>'
Sun Sep  4 14:41:16 2016 Info: MID 96234 ready 206 bytes from <test@cisco.com>
Sun Sep  4 14:41:16 2016 Info: MID 96234 matched all recipients for per-recipient policy DEFAULT in the outbound table
Sun Sep  4 14:41:16 2016 Info: MID 96234 DLP no violation
Sun Sep  4 14:41:16 2016 Info: MID 96234 quarantined to "Policy" (message filter:To_Header_Empty)
Sun Sep  4 14:41:16 2016 Info: Message finished MID 96234 done

====================

I also tested the filter with emails that did contain a 'To' header specified, and they were successfully delivered.

In addition, i strongly recommend you to report these emails to our AntiSpam team, so we can adjust the rules on our AS engine in order to stop these threats in the future. I have attached a document explaining this procedure.

Regards,

Juan C

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Hello Vishnu,

Hello Vishnu,

I'm assuming you're referring to the blank friendly 'To:' field that is visible in the mail client (IE: Outlook) and not the actual 'Rcpt To:' field, correct?

This can be accomplished via a Content Filter to look for the following condition : Other Header --> name 'To' --> Does not contain --> .

Keep in mind this may also impact CC/BCC type emails, so you may wish to test before pushing to a production environment. You could also add further conditions to narrow down the scope if need be.

Then of course, all you need to do is add the needed actions. (IE: Quarantine / Log entry / ETC)

Thanks!

-Dennis M.

View solution in original post

Highlighted
Beginner

Thanks Denis, 

Thanks Denis, 

Highlighted
Cisco Employee

You're very welcome !

You're very welcome !

Obviously as you can see there's typically more than one way to accomplish things on the ESA.

Be sure to keep in mind that message filters impact both inbound and outbound traffic, so you may want to include other conditions like I mentioned with the content filter.

(IE: Sender Group and Listener matching)

Thanks!

-Dennis M.

Highlighted
Cisco Employee

Hi, Vishnu

Hi, Vishnu

In order to block emails with the 'To' header empty, you can implement the following message filter. It will look for any email in which the 'To' header value was not entered. 

====================

To_Header_Empty:
if (header("to") == "^$") {
quarantine("Policy"); }

====================

I ran a test with the above filter in place, and it worked as expected:

====================

250 mail.labesa.com
mail from: test@cisco.com
250 sender <test@cisco.com> ok
rcpt to: jramondi@cisco.com
250 recipient <jramondi@cisco.com> ok
data
354 go ahead
From: test@domain.com
To:
Date: 03/09/2016 11:00 AM
Subject : Payment

Cisco test

====================

====================

Sun Sep  4 14:41:03 2016 Info: Start MID 96234 ICID 279178
Sun Sep  4 14:41:03 2016 Info: MID 96234 ICID 279178 From: <test@cisco.com>
Sun Sep  4 14:41:07 2016 Info: MID 96234 ICID 279178 RID 0 To: <jramondi@cisco.com>
Sun Sep  4 14:41:16 2016 Info: MID 96234 Message-ID '<9ef2aa$2tva@mail.coesa.com>'
Sun Sep  4 14:41:16 2016 Info: MID 96234 ready 206 bytes from <test@cisco.com>
Sun Sep  4 14:41:16 2016 Info: MID 96234 matched all recipients for per-recipient policy DEFAULT in the outbound table
Sun Sep  4 14:41:16 2016 Info: MID 96234 DLP no violation
Sun Sep  4 14:41:16 2016 Info: MID 96234 quarantined to "Policy" (message filter:To_Header_Empty)
Sun Sep  4 14:41:16 2016 Info: Message finished MID 96234 done

====================

I also tested the filter with emails that did contain a 'To' header specified, and they were successfully delivered.

In addition, i strongly recommend you to report these emails to our AntiSpam team, so we can adjust the rules on our AS engine in order to stop these threats in the future. I have attached a document explaining this procedure.

Regards,

Juan C

View solution in original post

Highlighted
Beginner

Thanks Juan, Will try the

Thanks Juan, Will try the above and update the status, also will report this email to Cisco AntiSpam Team, Thank you,

-Vishnu

Highlighted
Cisco Employee

You're more than welcome,

You're more than welcome, Vishnu

Kind regards,

-Juan C