Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1940
Views
15
Helpful
6
Replies

Cisco ESA billing@delivery-806738.info wildcard

Go to solution
ccna_security
Level 3
Level 3

ā€Ž07-04-2019 05:14 AM

 

hi. is there any way to configure esa to block such domains with wildcard?

I want to block only email coming from billing@delivery-806738.info (806738 is random number and frequently change)

esa didn't let me write down as billing@delivery-*.info   do you have any suggestions?

I crated dictionary and added billing@delivery-*.info inside it but I don't know whether it will work or not. I cant test it. please help me to solve this issue

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Paul Thomas Cyblue
Level 1
Level 1
In response to ccna_security

ā€Ž07-05-2019 07:35 AM

That's fine, off the top of my head I thought it didn't add the extra slash in the GUI, but it does on checking.
Plus I used the Trace command under System Administration to check that the Content filter matched.
You didn't need to escape the @

View solution in original post

6 Replies 6

Go to solution
Paul Thomas Cyblue
Level 1
Level 1

ā€Ž07-04-2019 11:15 AM - edited ā€Ž07-05-2019 07:31 AM

Not tested, but you could just replace the address in the rule with your personal email address to validate.

Dictionary
^(?i)billing@delivery-.*\.info$

CLI Message Filter
block_sender: if (mail-from == "^(?i)billing@delivery-.*\\.info$") {
drop();
}

Content Filter
Sender > Equals > (?i)billing@delivery-.*\.info
This will appear in list as ^(?i)billing@delivery-.*\\.info$

Go to solution
ccna_security
Level 3
Level 3
In response to Paul Thomas Cyblue

ā€Ž07-04-2019 12:37 PM

Thank you so much. I will test it tomorrow and will turn you back about the result. Please if possible could you send me a link that teach how i can use wildcard on different email 

0 Helpful

Go to solution
Paul Thomas Cyblue
Level 1
Level 1
In response to ccna_security

ā€Ž07-05-2019 01:30 AM

Use Regex101.com - below link contains your search and permutations
https://regex101.com/r/73c37m/3/

Note that \. ensures that the domain separator dot is treated as a dot.
Otherwise regex treats this as any character.
This can be important at times.

Note that there is a strange behavior where the CISCO ESA Message Filters created via SSH console require double escapes, whereas in the GUI (Content Filters / Dictionary) they do not.

Message Filter - ^(?i)billing@delivery-.*\\.info$

Go to solution
ccna_security
Level 3
Level 3
In response to Paul Thomas Cyblue

ā€Ž07-05-2019 02:06 AM

Your answers are so helpful. I really appreciate that.

I added to content filter->Equal-> .*\@delivery-.*\.info

But when I clicked ok is is shown as ^.*\\@delivery-.*\\.info$    Do you think this is normal behavior?

 

 

I tested with own gmail account. b.doyskiy@.*\.com esa blocked I mean worked as expected. Hope will block above email as well.

0 Helpful

Go to solution
Paul Thomas Cyblue
Level 1
Level 1
In response to ccna_security

ā€Ž07-05-2019 07:35 AM

That's fine, off the top of my head I thought it didn't add the extra slash in the GUI, but it does on checking.
Plus I used the Trace command under System Administration to check that the Content filter matched.
You didn't need to escape the @

Go to solution
ccna_security
Level 3
Level 3
In response to Paul Thomas Cyblue

ā€Ž07-06-2019 11:36 PM

Thank you Paul. I really appreciate your help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents