09-04-2016 12:21 PM
Hi All,
We are receiving Spam emails with blank TO address, is there any way we can Quarantine those mails in Cisco ESA.
Eg:
From : test@domain.com
To:
Date : 03/09/2016 11:00 AM
Subject : Payment
Thank you,
Vishnu
Solved! Go to Solution.
09-04-2016 12:54 PM
Hello Vishnu,
I'm assuming you're referring to the blank friendly 'To:' field that is visible in the mail client (IE: Outlook) and not the actual 'Rcpt To:' field, correct?
This can be accomplished via a Content Filter to look for the following condition : Other Header --> name 'To' --> Does not contain --> .
Keep in mind this may also impact CC/BCC type emails, so you may wish to test before pushing to a production environment. You could also add further conditions to narrow down the scope if need be.
Then of course, all you need to do is add the needed actions. (IE: Quarantine / Log entry / ETC)
Thanks!
-Dennis M.
09-04-2016 12:55 PM
Hi, Vishnu
In order to block emails with the 'To' header empty, you can implement the following message filter. It will look for any email in which the 'To' header value was not entered.
====================
To_Header_Empty:
if (header("to") == "^$") {
quarantine("Policy"); }
====================
I ran a test with the above filter in place, and it worked as expected:
====================
250 mail.labesa.com
mail from: test@cisco.com
250 sender <test@cisco.com> ok
rcpt to: jramondi@cisco.com
250 recipient <jramondi@cisco.com> ok
data
354 go ahead
From: test@domain.com
To:
Date: 03/09/2016 11:00 AM
Subject : Payment
Cisco test
====================
====================
Sun Sep 4 14:41:03 2016 Info: Start MID 96234 ICID 279178
Sun Sep 4 14:41:03 2016 Info: MID 96234 ICID 279178 From: <test@cisco.com>
Sun Sep 4 14:41:07 2016 Info: MID 96234 ICID 279178 RID 0 To: <jramondi@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 Message-ID '<9ef2aa$2tva@mail.coesa.com>'
Sun Sep 4 14:41:16 2016 Info: MID 96234 ready 206 bytes from <test@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 matched all recipients for per-recipient policy DEFAULT in the outbound table
Sun Sep 4 14:41:16 2016 Info: MID 96234 DLP no violation
Sun Sep 4 14:41:16 2016 Info: MID 96234 quarantined to "Policy" (message filter:To_Header_Empty)
Sun Sep 4 14:41:16 2016 Info: Message finished MID 96234 done
====================
I also tested the filter with emails that did contain a 'To' header specified, and they were successfully delivered.
In addition, i strongly recommend you to report these emails to our AntiSpam team, so we can adjust the rules on our AS engine in order to stop these threats in the future. I have attached a document explaining this procedure.
Regards,
Juan C
09-04-2016 12:54 PM
Hello Vishnu,
I'm assuming you're referring to the blank friendly 'To:' field that is visible in the mail client (IE: Outlook) and not the actual 'Rcpt To:' field, correct?
This can be accomplished via a Content Filter to look for the following condition : Other Header --> name 'To' --> Does not contain --> .
Keep in mind this may also impact CC/BCC type emails, so you may wish to test before pushing to a production environment. You could also add further conditions to narrow down the scope if need be.
Then of course, all you need to do is add the needed actions. (IE: Quarantine / Log entry / ETC)
Thanks!
-Dennis M.
09-04-2016 02:16 PM
Thanks Denis,
09-04-2016 02:38 PM
You're very welcome !
Obviously as you can see there's typically more than one way to accomplish things on the ESA.
Be sure to keep in mind that message filters impact both inbound and outbound traffic, so you may want to include other conditions like I mentioned with the content filter.
(IE: Sender Group and Listener matching)
Thanks!
-Dennis M.
09-04-2016 12:55 PM
Hi, Vishnu
In order to block emails with the 'To' header empty, you can implement the following message filter. It will look for any email in which the 'To' header value was not entered.
====================
To_Header_Empty:
if (header("to") == "^$") {
quarantine("Policy"); }
====================
I ran a test with the above filter in place, and it worked as expected:
====================
250 mail.labesa.com
mail from: test@cisco.com
250 sender <test@cisco.com> ok
rcpt to: jramondi@cisco.com
250 recipient <jramondi@cisco.com> ok
data
354 go ahead
From: test@domain.com
To:
Date: 03/09/2016 11:00 AM
Subject : Payment
Cisco test
====================
====================
Sun Sep 4 14:41:03 2016 Info: Start MID 96234 ICID 279178
Sun Sep 4 14:41:03 2016 Info: MID 96234 ICID 279178 From: <test@cisco.com>
Sun Sep 4 14:41:07 2016 Info: MID 96234 ICID 279178 RID 0 To: <jramondi@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 Message-ID '<9ef2aa$2tva@mail.coesa.com>'
Sun Sep 4 14:41:16 2016 Info: MID 96234 ready 206 bytes from <test@cisco.com>
Sun Sep 4 14:41:16 2016 Info: MID 96234 matched all recipients for per-recipient policy DEFAULT in the outbound table
Sun Sep 4 14:41:16 2016 Info: MID 96234 DLP no violation
Sun Sep 4 14:41:16 2016 Info: MID 96234 quarantined to "Policy" (message filter:To_Header_Empty)
Sun Sep 4 14:41:16 2016 Info: Message finished MID 96234 done
====================
I also tested the filter with emails that did contain a 'To' header specified, and they were successfully delivered.
In addition, i strongly recommend you to report these emails to our AntiSpam team, so we can adjust the rules on our AS engine in order to stop these threats in the future. I have attached a document explaining this procedure.
Regards,
Juan C
09-04-2016 02:15 PM
Thanks Juan, Will try the above and update the status, also will report this email to Cisco AntiSpam Team, Thank you,
-Vishnu
09-04-2016 02:23 PM
You're more than welcome, Vishnu
Kind regards,
-Juan C
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide