cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
967
Views
0
Helpful
4
Replies

Block messages that have from addresses look quite the same as my domain

ardiii_890
Beginner
Beginner

Hi,

I am facing the problem of receiving fake emails that have from address look quite the same as my domain.

For example lets say my domain is test.com. Lately I have received faked email destined to valid users of my domain having as senders users of domains that change with one or two letters from my domain, making the user believing he is receiving mails from inside the domain and replying back. Here are some example:

 

from: validuser1@testt.com

to: validuser2@test.com

 

from: validuser1@test2.com

to: validuser2@test.com

 

from: validuser1@ttest.com

to: validuser2@test.com

 

Is there any solution based on message filters ( + regular expression) that will quarantine emails that look quite the same as a given domain?

Thx,

Ardi

1 Accepted Solution

Accepted Solutions

Good.  We were on the same page with the filter layout.  For me, I just wanted to aim and make sure that the domains would be detected as needed.  But - as stated, with the regex, it grabs full domains aside for your own domain.

-Robert

View solution in original post

4 Replies 4

Robert Sherwin
Cisco Employee
Cisco Employee

Could you not just add in the faux domains to your blacklist?  

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118219-configure-esa-00.html

If not - using a message filter - you could do something similar to this:

quarantine_not_my_domain:
if (mail-from == "(?i)@(test)\\.com$"){
skip-filters();
}
else {
if (mail-from == "(?i)@(testt|test2|ttest)\\.com$"){
quarantine('Policy');
}}
.

-Robert

Hi Roberts,

Thx for the reply.

Yes blacklist is an option but has to be done for every domain.

Your script works for only some combinations. I did a little research on regular expression and made the message filter.

quarantine_obfuscations_to_test:

if mail-from != "(?i)@test\\.com$"
{
if mail-from == "(?i)@*test+\\.*$" {
duplicate-quarantine("Policy");
drop();
}}
 
So every combination that might trick user in replying to legit email will be blocked:
user1@testtt.com
user2@2test.com
user3@test.gov
 

 

Good.  We were on the same page with the filter layout.  For me, I just wanted to aim and make sure that the domains would be detected as needed.  But - as stated, with the regex, it grabs full domains aside for your own domain.

-Robert

Yes and script might quarantine valid domain also. Maybe i should narrow the filter to fewer domains.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: