Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
0
Helpful
4
Replies

Block messages that have from addresses look quite the same as my domain

Go to solution
ardiii_890
Level 1
Level 1

‎12-01-2014 12:26 AM

Hi,

I am facing the problem of receiving fake emails that have from address look quite the same as my domain.

For example lets say my domain is test.com. Lately I have received faked email destined to valid users of my domain having as senders users of domains that change with one or two letters from my domain, making the user believing he is receiving mails from inside the domain and replying back. Here are some example:

 

from: validuser1@testt.com

to: validuser2@test.com

 

from: validuser1@test2.com

to: validuser2@test.com

 

from: validuser1@ttest.com

to: validuser2@test.com

 

Is there any solution based on message filters ( + regular expression) that will quarantine emails that look quite the same as a given domain?

Thx,

Ardi

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to ardiii_890

‎12-02-2014 06:20 AM

Good.  We were on the same page with the filter layout.  For me, I just wanted to aim and make sure that the domains would be detected as needed.  But - as stated, with the regex, it grabs full domains aside for your own domain.

-Robert

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎12-02-2014 05:52 AM

Could you not just add in the faux domains to your blacklist?  

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118219-configure-esa-00.html

If not - using a message filter - you could do something similar to this:

quarantine_not_my_domain:
if (mail-from == "(?i)@(test)\\.com$"){
skip-filters();
}
else {
if (mail-from == "(?i)@(testt|test2|ttest)\\.com$"){
quarantine('Policy');
}}
.

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
ardiii_890
Level 1
Level 1
In response to Robert Sherwin

‎12-02-2014 06:01 AM

Hi Roberts,

Thx for the reply.

Yes blacklist is an option but has to be done for every domain.

Your script works for only some combinations. I did a little research on regular expression and made the message filter.

quarantine_obfuscations_to_test:

if mail-from != "(?i)@test\\.com$"
{
if mail-from == "(?i)@*test+\\.*$" {
duplicate-quarantine("Policy");
drop();
}}
 
So every combination that might trick user in replying to legit email will be blocked:
user1@testtt.com
user2@2test.com
user3@test.gov
 

 

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to ardiii_890

‎12-02-2014 06:20 AM

Good.  We were on the same page with the filter layout.  For me, I just wanted to aim and make sure that the domains would be detected as needed.  But - as stated, with the regex, it grabs full domains aside for your own domain.

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
ardiii_890
Level 1
Level 1
In response to Robert Sherwin

‎12-02-2014 06:24 AM

Yes and script might quarantine valid domain also. Maybe i should narrow the filter to fewer domains.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents