cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
246
Views
0
Helpful
4
Replies
Highlighted
Beginner

Block messages that have from addresses look quite the same as my domain

Hi,

I am facing the problem of receiving fake emails that have from address look quite the same as my domain.

For example lets say my domain is test.com. Lately I have received faked email destined to valid users of my domain having as senders users of domains that change with one or two letters from my domain, making the user believing he is receiving mails from inside the domain and replying back. Here are some example:

 

from: validuser1@testt.com

to: validuser2@test.com

 

from: validuser1@test2.com

to: validuser2@test.com

 

from: validuser1@ttest.com

to: validuser2@test.com

 

Is there any solution based on message filters ( + regular expression) that will quarantine emails that look quite the same as a given domain?

Thx,

Ardi

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Good.  We were on the same

Good.  We were on the same page with the filter layout.  For me, I just wanted to aim and make sure that the domains would be detected as needed.  But - as stated, with the regex, it grabs full domains aside for your own domain.

-Robert

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Could you not just add in the

Could you not just add in the faux domains to your blacklist?  

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118219-configure-esa-00.html

If not - using a message filter - you could do something similar to this:

quarantine_not_my_domain:
if (mail-from == "(?i)@(test)\\.com$"){
skip-filters();
}
else {
if (mail-from == "(?i)@(testt|test2|ttest)\\.com$"){
quarantine('Policy');
}}
.

-Robert

Highlighted
Beginner

Hi Roberts,Thx for the reply

Hi Roberts,

Thx for the reply.

Yes blacklist is an option but has to be done for every domain.

Your script works for only some combinations. I did a little research on regular expression and made the message filter.

quarantine_obfuscations_to_test:

if mail-from != "(?i)@test\\.com$"
{
if mail-from == "(?i)@*test+\\.*$" {
duplicate-quarantine("Policy");
drop();
}}
 
So every combination that might trick user in replying to legit email will be blocked:
user1@testtt.com
user2@2test.com
user3@test.gov
 

 

Highlighted
Cisco Employee

Good.  We were on the same

Good.  We were on the same page with the filter layout.  For me, I just wanted to aim and make sure that the domains would be detected as needed.  But - as stated, with the regex, it grabs full domains aside for your own domain.

-Robert

View solution in original post

Highlighted
Beginner

Yes and script might

Yes and script might quarantine valid domain also. Maybe i should narrow the filter to fewer domains.