cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5348
Views
10
Helpful
8
Replies

block message with "reply-to" field different from "from" field

acleri
Level 1
Level 1

is it possible to use a content filter script to block a mail that has a "reply-to" field different from the "from" field.

thanks.

8 Replies 8

Hello, Acleri.

I bet this is because you're likely facing a spoofing issue.

The ESA does not have any capability to compare headers (for example: reply-to or from headers), nevertheless, there is already an enhancement request we have placed in order to add it in future releases. It is not yet customer visible.

On the other hand, the ESA does count with features that allow you to act on the headers of a message (including the "From" header). The most common way to implement this, is through message filters. Message filters can be used to write very specific rules that check on virtually any aspect of a message and take action on it. For example, you could apply the following logic:

If a message comes from outside of my email environment, and it contains our internal domain in the "From" header, send it to the quarantine.

A common approach to use on these cases, is to create a filter that checks against the "From" header of the message AND the receiving listener a message what received in.

So, if your incoming and outgoing traffic is segregated at the listener level (i.e. these two traffics do not use the same listener), and you receive a message with a "From" address of your internal domain, but you also detect that it was injected on the "Incoming" traffic listener, you would know it is most probably a spoof attempt.

It is extremely important to verify that you don't have external servers (application servers, for example) that should be allowed to spoof your internal domain, or you would have to create exceptions for them.

If your traffic is not properly segregated, you will have to rely on other conditions, like the IP the message comes from, or the sendergroup it hit (remember that all your outgoing traffic should hit a different sendergroup than your incoming traffic). An example of this filter can be found at the following article, which I advise you to review closely and keep at hand:

ESA Spoofed Mail Filtering

I hope that helps. 

Jean Orozco

Cisco TAC

Hello,
In addition to the great information that Jean Carlos has provided, we also have Forged Email Detection coming out in our ASyncOS 10.x release to further assist with this issue.
More details on that here : http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa10-0/ESA_10-0_User_Guide.pdf#page=571

Aside from that, the current best prevention method we have would be to create a Message Filter, similar to the following :

(If the Sender Group does not equal the 'RELAYLIST' and the 'From' header or 'Mail-From' equals my domain, then log an entry in mail logs and message tracking, and then quarantine the email)

+++

SpoofExample:
if (sendergroup != "RELAYLIST") AND ((header("From") == 'example.com') OR (mail-from == 'example.com'))
{
log-entry ("**********Spoof Message**********");
quarantine("Policy");
}

.

+++

Thanks
-Dennis M.

Hi there !

is there any method for comparing 'mail-from' to 'From' Header using Message Filters on incoming mail ?

like this : if (mail-from != header("From")) { drop(); }

To prevent some incoming phishing spam.

Thanks

-gh.

Hi

As mentioned above comparison of headers is not possible.

There is an internal feature request for the same, however there is no ETA on the same.

You would need to use sample filters mentioned above to stop spoofing attempts.

Also attaching a document for forged email detection which you can review.

Thanks

Libin

Hi,

Is there any update on this with the latest AsyncOS?

 

Thanks!

If you are referring to ability to compare two header values, it is still not available.

 

- Libin V


@Libin Varghese wrote:

If you are referring to ability to compare two header values, it is still not available.

 

- Libin V


I'm wondering is there any progress 18 months later?

DMARC alignment checks do help confirm if the envelope sender is different from From header.

 

As for the filter enhancement itself there have been no changes, you can continue tracking under the link and reach out to your accounts team to further prioritise it.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb97836/?reffering_site=dumpcr

 

Regards,

Libin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: