08-24-2016 03:19 AM
is it possible to use a content filter script to block a mail that has a "reply-to" field different from the "from" field.
thanks.
08-24-2016 06:23 AM
Hello, Acleri.
I bet this is because you're likely facing a spoofing issue.
The ESA does not have any capability to compare headers (for example: reply-to or from headers), nevertheless, there is already an enhancement request we have placed in order to add it in future releases. It is not yet customer visible.
On the other hand, the ESA does count with features that allow you to act on the headers of a message (including the "From" header). The most common way to implement this, is through message filters. Message filters can be used to write very specific rules that check on virtually any aspect of a message and take action on it. For example, you could apply the following logic:
If a message comes from outside of my email environment, and it contains our internal domain in the "From" header, send it to the quarantine.
A common approach to use on these cases, is to create a filter that checks against the "From" header of the message AND the receiving listener a message what received in.
So, if your incoming and outgoing traffic is segregated at the listener level (i.e. these two traffics do not use the same listener), and you receive a message with a "From" address of your internal domain, but you also detect that it was injected on the "Incoming" traffic listener, you would know it is most probably a spoof attempt.
It is extremely important to verify that you don't have external servers (application servers, for example) that should be allowed to spoof your internal domain, or you would have to create exceptions for them.
If your traffic is not properly segregated, you will have to rely on other conditions, like the IP the message comes from, or the sendergroup it hit (remember that all your outgoing traffic should hit a different sendergroup than your incoming traffic). An example of this filter can be found at the following article, which I advise you to review closely and keep at hand:
I hope that helps.
Jean Orozco
Cisco TAC
08-24-2016 10:14 AM
Aside from that, the current best prevention method we have would be to create a Message Filter, similar to the following :
(If the Sender Group does not equal the 'RELAYLIST' and the 'From' header or 'Mail-From' equals my domain, then log an entry in mail logs and message tracking, and then quarantine the email)
+++
SpoofExample:
if (sendergroup != "RELAYLIST") AND ((header("From") == 'example.com') OR (mail-from == 'example.com'))
{
log-entry ("**********Spoof Message**********");
quarantine("Policy");
}
.
+++
09-23-2016 05:20 AM
Hi there !
is there any method for comparing 'mail-from' to 'From' Header using Message Filters on incoming mail ?
like this : if (mail-from != header("From")) { drop(); }
To prevent some incoming phishing spam.
Thanks
-gh.
09-23-2016 07:50 AM
Hi
As mentioned above comparison of headers is not possible.
There is an internal feature request for the same, however there is no ETA on the same.
You would need to use sample filters mentioned above to stop spoofing attempts.
Also attaching a document for forged email detection which you can review.
Thanks
Libin
12-20-2017 08:05 AM
Hi,
Is there any update on this with the latest AsyncOS?
Thanks!
12-20-2017 09:20 AM
If you are referring to ability to compare two header values, it is still not available.
- Libin V
06-26-2019 06:48 AM - edited 06-26-2019 06:56 AM
@Libin Varghese wrote:If you are referring to ability to compare two header values, it is still not available.
- Libin V
I'm wondering is there any progress 18 months later?
09-24-2019 06:12 PM
DMARC alignment checks do help confirm if the envelope sender is different from From header.
As for the filter enhancement itself there have been no changes, you can continue tracking under the link and reach out to your accounts team to further prioritise it.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb97836/?reffering_site=dumpcr
Regards,
Libin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: