Can I prepend [External] to subject line for incoming external emails?

keithsauer507 · ‎11-10-2015

We are looking for a way to easily identify emails from external sources coming into our organization for training our employees to handle these external emails with care.

Two examples that other finantial institutions are using is one, in the subject line any email that did not originate from the organization gets [External] prepended in front of the existing subject line.

Another example is in the body of an email bold and italic text is applied at the top of the existing message "For information security purposes, this external email and any attachments or links should be opened with caution."

I believe we could do this today with our CodeTwo Exchange 2013 add on right on the Exchange server. However I was tasked to see if the Ironport ESA could handle this since all email destined from or to the outside world must pass through this virtual appliance before entering / leaving the organization's Exchange server.

I did not see any action rules on incoming content filters to alter existing subject or body lines. We'd prefer to do the subject line approach as it can be seen in Outlook without even opening the mail message, but we would be interested in the flexibility to do both.

keithsauer507 · ‎11-10-2015

Ok well I found how to do the subject in Exchange 2013 admin center.

Mail flow > rules > +

Apply this rule if = the sender is located... outside the organization

Do the following...

Prepend the subject... specify subject prefix [External]

exMSW4319 · ‎11-10-2015

Does that also tag mail from any system inside your organisation but external to the Exchange service? (Of course, that may be what you want to do if you can't trust your interior network...)

In any case, if you wanted to accomplish the same task at your mail gateway (as your IronPort is the gatekeeper of mail in and out of your organisation) then I think you have to use a message filter. There are a few things in the GUI that allow you to alter the subject, but they're for strictly limited applications such as the anti-virus engine. For general work you have to get dirty with the CLI:

Here's an example I fished out of section 6 of the user manual:

sbrs_filter:
if ((recv-inj == "listener_name" AND subject != "\\{Spam -?[0-9.]+\\}"))

{

insert-header("X-SBRS", "$REPUTATION");
if (reputation <= -2.0)

{

strip-header("Subject");
insert-header("Subject", "$Subject \\{Spam $REPUTATION\\}");

}

where listener_name presumes you have a dedicated inbound listener of that name and the elaborate subject condition is to avoid appending the same tag to a tagged message. Of course, if an attacker learns this of your configuration then there is one obvious way to game this particular rule...

Simpler variations are possible if you don't want to have to educate your recipients on how to interpret SBRS and the slipperiness of the None score.

If you don't have a dedicated inbound listener then the first part of the condition should instead focus on selecting mail not from your domain.

Mathew Huynh · ‎11-10-2015

Hey Keith,

As provided by exMSW4319, you can edit the subject to prepend if required.

You can deploy the example filter depending on your listener setup

If one listener, then inbound and outbound traffic is differentiated by the Sendergroup.

So for all incoming (from external) emails;

Filtername_Example:

if sendergroup !="RELAYLIST"

{
edit-header-text("Subject", "(.*)", "[EXTERNAL]\\1");
}
.

If two listener, one for inbound and one for outbound

Filtername_Example:

if recv-listener =="InboundMail"

{
edit-header-text("Subject", "(.*)", "[EXTERNAL]\\1");
}
.

This will insert the header everytime an email comes in, so if someone replies you may see a prepend on a prepend [EXTERNAL][EXTERNAL]

So you may need to put another filter in front where if the subject line has the word [external] remove it, before you insert the new one.

Regards,

Matthew

jschiller412 · ‎12-03-2018

I know this is an old thread, but do you have an example of a message filter that I can apply "if the subject line has the word [external] remove it, before you insert the new "????

Im able to append external to the subject line of each external email but if someone replies or forwards from external, it keeps adding external in subject line. In a normal conversation, the word external can be inserting multiple times.

EKFletcher · ‎12-08-2017

We created a content filter this way:

External_Prepend: if (subject != "\\[EXTERNAL\\]") { edit-header-text("Subject", "(.*)", "[EXTERNAL] \\1"); add-heading("Warning1_Message_Header"); }

If it already had the prepend in the subject it would not add it again.

We also added some text at the top of the body of the message.

However, we have some cases were the body of the message is removed and only the prepended text is in the message.

Anyone see that happening?

Kevin

Libin Varghese · ‎12-08-2017

An email rewritten by a disclaimer can have issues depending on the encoding of the original email body.

Since the disclaimer has a different encoding to the email body, the exchange may fail to interpret that correctly and end up adding the email body as an attachment.

This is discussed in the below defect:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy49918/?reffering_site=dumpcr

A few customers have had luck using configuration of "localeconfig" as mentioned in the below article:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118501-qa-esa-00.html

I've seen this happen mostly with encrypted emails where an unencrypted disclaimer is added to the encrypted email body. Modifying the subject would be a better option.

Regards,

Libin Varghese

tsilveruits · ‎12-03-2018

Yes. You can do this with the ESA. We do it in our environment; using that exact tag. Incoming Content Filters will allow you to do this using the 'Add/Edit Header' option. Choose 'Subject' for the header and in the 'Prepend' section enter '[External] ' which will simply add the tag to the beginning of the subject. In the condition section, apply the filter to anything received on your external listener. You may want to do what we do and exempt emails that already contain an external tag in the subject; this will prevent duplicate tagging, which can get ugly on threads. And there are various ways to exempt tagging trusted senders through the content filters or mail policies. It really depends on how you want to handle incoming mail. Good luck!

jschiller412 · ‎12-03-2018

Thanks. What condition should I use within content filter to exempt emails with this tag already?

tsilveruits · ‎12-04-2018

In the conditions section, choose 'Subject Header' and select the 'Does Not Contain' option with '.*\[External\]' entered into the text field. Make sure your 'Apply rule' is set to 'Only if all conditions match' too. So, when an email is received on the external listener, and the subject does not contain '[External]' already, then complete the actions, which includes adding the tag. We also make use of X-headers, which you may or may not wish to do, as well. I hope this is helpful.

jschiller412 · ‎12-04-2018

Awesome, this is exactly what I was looking for. You have been extremely
helpful!!