Hi,

ccg-security · ‎02-05-2017

Hi Cisco Support,

How can we configure content filter using X-header and how can we find those headers? Is our configuration are correct?(please see attached screenshot). Are we ensure that this will block automatically?

Thank you and best regards!

Libin Varghese · ‎02-06-2017

Hi,

X-Originating-IP is a custom header and not one that the ESA adds by default, hence you would need to ensure you are inserting such a header manually somewhere.

A better alternative to this would be to use the content filter condition "Remote IP/Hostname" to filter based on the sender IP. (screenshot)

If you are looking to block the sending IP completely and not quarantine it then you could also add the IP to the HAT Blacklist.

Thanks
Libin Varghese

ccg-security · ‎02-06-2017

Hi Libin,

Thank you for the information. based on our message tracking, the Remote IP is the google public ip and one of our cyber security saw on the Message header that it came from a different IP so they used the google public ip so that ironport treat it as valid.

Is there a way we can filter using X-Header based on Content Filter?

Thank you and best regards!

Libin Varghese · ‎02-06-2017

Hi,

Yes you can certainly filter based on the value of the SMTP headers present in the email.

You cannot however, compare two headers to see if they have the same value.

The screenshot shared by you earlier should suffice that.

- Libin

Block X-Header on Ironport