Cisco ESA Dummy@dummy.com

ccna_security · ‎06-30-2019

Hi. can anyone tell me what does this mean? I observed that dummy@dummy.com user clicked the link called ihavebadreputation.com but such user is not my domain. Someone has an idea what is this?

balaji.bandi · ‎07-01-2019

may be it come as spoofed email look at the header of the message, email might have come as spoofed with inside different email.

other option do you have your email server enabled spoofing ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ccna_security · ‎07-01-2019

(other option do you have your email server enabled spoofing ?) What you mean?

charella · ‎07-01-2019

Hello Ccns90, Please check and ensure your RAT (Recipient Access Table) has been configured. properly. It should only list your domains. The setting "All other recipients," should be configured to "Reject." Reject, prevents mail from an outside source, destined for an outside source, from passing through your ESA. also called an "Open Relay." > Mail Policies > Recipient Access Table (RAT) > All other recipients > Reject $ dig dummy.com mx +short 10 park-mx.above.com. Hope this is helpful, Chris

ccna_security · ‎07-01-2019

Dear Charella

RAT has been configured in our ESA. only domain is allowed, all other recipient are rejected. Do you have any other recommendation?

ppreenja · ‎08-08-2019

Hi Ccns,

I was able to check on your query here and found that the URL of "i-have-bad-reputation" is a test URL which is used for doing testing for the Web Interaction tracking configuration on ESA usually.

This URL is a test site that is used to test the reputation of a website that will trigger these but is not a malicious site. This testing usually involves using the email "dummy@dummy.com" and hence I can deduce from the screenshot shared that it might be due to similar tests performed in your network as well.

I hope that explains!

Regards,
Pratham