cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1054
Views
0
Helpful
1
Replies
phips.mit.ph
Beginner

Cisco ESA Spoof Protection not working correctly

Hi all,

we set up Spoof Protection as described here: https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-email-security/guide-c07-740417.pdf

 

Unfortunately a user received a message from himself.

From: firstname.lastname@domain.tld [mailto:firstname.lastname@domain.tld]

screenshot.png

This is the mail header:

Received: from exchange03.domain.tld (x.x.x.x.) by exchange02.domain.tld
 (10.220.1.102) with Microsoft SMTP Server (TLS) id 14.3.266.1; Thu, 13 Jun
 2019 06:42:07 +0200
Received: from ironport.domain.tld (x.x.x.x) by exchange03.domain.tld
 (10.220.1.103) with Microsoft SMTP Server (TLS) id 14.3.266.1; Thu, 13 Jun
 2019 06:42:06 +0200
X-Amp-File-Uploaded: False
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-Result: UNKNOWN
X-IronPort-AV: E=Sophos;i="5.63,366,1557180000"; 
   d="jpg'145?scan'145,208,217,145";a="3806876"
Subject: [SPAM] firstname.lastname
X-IPAS-Result: A0EX/gA6LQFdZBXtipmQeAqqPxiHL0wHCAEDAgKIF7t3jzeJbg
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EX/gA6LQFdZBXtipmQeAqqPxiHL0w?=
 =?us-ascii?q?HCAEDAgKIF7t3jzeJbg?=
X-IronPort-Anti-Spam-Filtered: true
IronPort-PHdr: =?us-ascii?q?9a23=3AenvbohD1SAXwG16cDhYjUyQJPHJ1kqjoPgMT9p?=
 =?us-ascii?q?ssgq5PdaLmxZn5IUjD/qs13lrAXIHU4ugCkPfNqObrXmlTqY2ZviU6eYdXHw?=
 =?us-ascii?q?QAld1QmgUhBMCfDkiuMeX3bgQlG95GWAU5oTewNg5XAJ+kNWffqXCz8zMeXy?=
 =?us-ascii?q?7HG1Uqf7bNE5XJx4Sy3uG29JTJJR5VnyH7arR3fl26qgDYt89ehoUHSO551w?=
 =?us-ascii?q?DUo1NXfP5SyTk0exSYmFD+/o+88YVi/CJZp/86v5cdCuOjJPR+F+cHSm5/e2?=
 =?us-ascii?q?kurNXmrxzCUReC6h5+Gi0NnxxEDhKEpBD2U5Htszfr4+902S2UJ8rzHvg/XT?=
 =?us-ascii?q?Wv6bsuSQe90XpccWdioCeN0ZM21vsIxXDp7wZyyIPVfoyPYf93f6fSdMlcXn?=
 =?us-ascii?q?daRYBaUCkSZ+H0J4YJEecFOv5V6ofnoF5b5walGAiEG+T1zjMS2iGw1qp80f?=
 =?us-ascii?q?xrQmSklEQwWskDtnjZtoC/KbwPUMiqy7PMwW+fMbVd3nH/8MKbOgBkqvaKU7?=
 =?us-ascii?q?VqdMPXwkR6DBvLuVKWrZ22WlHdnvRIqWWQ6PBsEP6+k2Ny4R8kuSChn41/wp?=
 =?us-ascii?q?mMnI8ezUrIsDl00Jpgb8PtU1Z1OLvGWNNRr33IbtEsBJpkGTo0/n59kOFOuI?=
 =?us-ascii?q?bnLnFQktJ9l1iGM6fBK8/SvlriTLrDeG0lwis6IPTu3VDqthL8r4+0HsisjA?=
 =?us-ascii?q?QT83EDy4Oc8CxdkUSUsJTPS+MhrB78gnDWjFCVsLoaZxhzz/CTKoZ9kOdtzd?=
 =?us-ascii?q?xK7RWFR3Ou3h2x1vXzFA1s+/D0ub26OfO/+s7abtMozFm5aPpmm9TjU71laU?=
 =?us-ascii?q?5XAzndo73kkuS5rQqjHdAoxrU3ivWL6c2BY51H9+jjWVATisF5tV6+F2v0iY?=
 =?us-ascii?q?lD2yBbfRQfIkPB18+zZjSsaLj5Favt2gn31m43lracZeSnWtKXcDDCiOuzJO?=
 =?us-ascii?q?smrRcAmUxplo0Zv9UOVNRjaLryQhOj7YGDSEZlYkrun7ihUJInissfQT7dW/?=
 =?us-ascii?q?LCdvqP6hnWvKR3ZLPXLI4N5GSkdqNjvqO1yyFj3wFBOvP3uPlfIHGgQqY/fh?=
 =?us-ascii?q?7fOCe3xIlfVz9N5FR2TfS22gTfCngKOi30Af16vnZhVsqnFduRH9D1xufemn?=
 =?us-ascii?q?3jRdsOIToZbzLEWXbwK9feAq9KMnnIZJU6w3pcEuL9A445iUP07Va8kuA2aL?=
 =?us-ascii?q?OIvHVf786rwtFx46eKxEMCsAdsBsHY6FmjCmR9n2cGXTgzhf4tvktnzlvZjf?=
 =?us-ascii?q?Y+iPseF8QBvv4=3D?=
IronPort-SDR: jOsfPEwQtLz8iBcH6oeX/kmebMBcosYA7Uf8266J7rX0CCmf3QzB9GhFtHVLycZCVVx4KzbhCR
 MkzGaCmJKeji4HD+BvqtT0qZVNYiOr+I5ucEW9kmSAzyjF1KtDWc7eal8Qn5QSki4c0jymYg3k
 maKxlvIN8gKAhoUAVWXXVzNodqnV3xWRnfMKFUNRWowbjI++T2vX3sj/5AbuSbZ72hZj7lIa2R
 X9JR/TFmUtZguFKHxqYk+kc0yMErWb1gEHZUvx8c26Ph8p8O1ib4lo0DH0+4CdcEbBOdshY8S5
 mkbuXHW06MFdGKGeWkPbgyKa
Received-SPF: Pass (ironport.domain.tld: domain of
  usui@world246.co.jp designates 153.138.237.21 as permitted
  sender) identity=mailfrom; client-ip=153.138.237.21;
  receiver=ironport.domain.tld;
  envelope-from="usui@world246.co.jp";
  x-sender="usui@world246.co.jp"; x-conformance=spf_only;
  x-record-type="v=spf1"; x-record-text="v=spf1
  ip4:122.1.234.0/24 ip4:122.28.103.0/24 ip4:125.170.92.0/24
  ip4:153.128.48.0/24 ip4:153.138.236.0/22 ip4:153.149.140.0/22
  ip4:153.149.144.0/26 ip4:153.149.210.128/25
  ip4:153.149.227.0/26 ip4:153.149.229.0/25
  ip4:153.149.231.0/26 ip4:153.149.235.0/26
  ip4:153.149.246.0/24 ip4:153.153.62.0/23 ip4:153.153.62.64/26
  ip4:153.153.66.0/26 ip4:153.153.67.0/26 ip4:180.37.203.0/27
  ip4:210.232.239.0/24 ip4:211.129.14.0/24 ~all"
Authentication-Results: ironport.domain.tld; spf=Pass smtp.mailfrom=usui@world246.co.jp
Received: from oogw1619.ocn.ad.jp ([153.138.237.21])  by ironport.domain.tld with
 ESMTP; 12 Jun 2019 18:53:00 +0200
Received: from cmn-spm-mts-007c1.ocn.ad.jp (cmn-spm-mts-007c1.ocn.ad.jp
 [153.153.67.163])	by oogw1619.ocn.ad.jp (Postfix) with ESMTP id ABD78D00632
	for <firstname.lastname@domain.tld>; Thu, 13 Jun 2019 01:52:57 +0900 (JST)
Received: from mwb-vc-mts-002c1.ocn.ad.jp ([153.138.237.206])	by
 cmn-spm-mts-007c1.ocn.ad.jp with ESMTP	id b6Thh68GSxayib6UbhSYhu; Thu, 13 Jun
 2019 01:52:57 +0900
X-BIZ-RELAY: yes
Received: from sgs-vcgw117.ocn.ad.jp ([153.149.141.227])	by
 mwb-vc-mts-002c1.ocn.ad.jp with ESMTP	id b6UbhUHD5Pu64b6UbhdCtZ; Thu, 13 Jun
 2019 01:52:57 +0900
Received: from world246.co.jp (world246.co.jp [61.126.63.35])	by
 sgs-vcgw117.ocn.ad.jp (Postfix) with ESMTP id 41EB824027A	for
 <firstname.lastname@domain.tld>; Thu, 13 Jun 2019 01:52:57 +0900 (JST)
Received: from [191-37-79-238.cntfiber.net.br] (unknown [191.37.79.6])	(using
 TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))	(Client did not present
 a certificate)	by world246.co.jp (Postfix) with ESMTPSA id 8981BFA06C4B	for
 <firstname.lastname@domain.tld>; Thu, 13 Jun 2019 01:52:54 +0900 (JST)
To: <firstname.lastname@domain.tld>
Date: Wed, 12 Jun 2019 18:52:57 +0200
Feedback-ID: 548861:37297860.09834206:c17:gs
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101
 Thunderbird/52.0
Errors-To: tlas1q6gl8jndgdjtta@world246.co.jp
Content-Type: multipart/related; boundary=
	"42BA930A9710E9BA89-0359E07F74A1-08C6D57BBB3505A225-4327C8D9E21-F408A"
MIME-Version: 1.0
List-Help: <http://www.world246.co.jp/lists/?p=preferences&uid=kxr4k59jfw368nq8x6fnz6162g35qp0c>
X-Priority: 1
Message-ID: <v5xc36y-1so7xu-35@world246.co.jp>
From: <firstname.lastname@domain.tld>
Organization: Iiqvmayafsgw
Abuse-Reports-To: <abuse@world246.co.jp>
X-Sender: <usui@world246.co.jp>
List-ID: <mossojgysy-73822-06857>
X-CSA-Complaints: whitelist-complaints@world246.co.jp
Return-Path: usui@world246.co.jp

 

Why did the message pass the Mail Flow Policies? The mail server 153.138.237.21 is not on our whitelist - I just double checked it...

 

Thanks,

P.

 

1 REPLY 1
dmccabej
Cisco Employee

Hello,

 

The guide you mention seems to instruct you to use the Sender Verification table. This is fine, but, this would only be checking against the Envelope Sender domain. Which, in this case, was usui@world246.co.jp. The From shown in most email clients will not be using the Envelope Sender, but instead the actual From header. Which, in this case, was From: <firstname.lastname@domain.tld>.

 

The From header and Envelope Sender are completely separate and is the most probable cause as to why the set up in this particular case has failed. 

 

What you can do instead is set up a Message Filter to look for your internal domain in the From header and if the email is not tied to the RELAYED Mail Flow Policy then take appropriate action.

 

Here is one that I typically provide as an example (of course, this would need to be modified to fit your needs) :

 

SpoofExample:
if (sendergroup != "RELAYLIST") AND ((header("From") == 'example.com') OR (mail-from == 'example.com'))
{
log-entry ("**********Spoof Message**********");
quarantine('Policy');
}

 

In short, it says if the Sender Group does NOT equal the RELAYLIST AND the From header contains example.com OR the Envelope Sender contains example.com, then log an entry and send this email to the Policy quarantine.

 

 

Thanks!

-Dennis M.

Create
Recognize Your Peers
Content for Community-Ad