cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1895
Views
5
Helpful
1
Replies

compare envelope senders and message id headers in ironport

is possible to compare envelope senders and message id headers on ironport? 

I need this to prevent email spoofing. because a few weeks ago, I got an email with a different envelope sender and message id header in it.

1 REPLY 1
ppreenja
Cisco Employee

Hi,

 

Currently, comparison of two headers are not possible in ESA and we have below enhancement request in place for the same:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb97836


To prevent email spoofing, I would recommend you to use below message filter on your ESA appliance:

Here is the sample filter you can use:
==============
Anti_Spoofing: if (sendergroup != "RELAYLIST") AND (Sendergroup != "ALLOWED_SPOOF")
{
if ((header("From")== "(?i)@domain\\.com") OR (mail-from=="(?i)@domain\\.com$"))
{
quarantine("Policy");
}
}
.
==============

Please note that this is a sample message filter. Please change it as per your requirements.

Where domain.com is your internal domain and ALLOWED_SPOOF is a sendergroup you need to create for exceptions and add IP addresses you want to allow for spoofing (if any).

Steps to create a sendergroup.
1.
Go to Mail Policies>> HAT Overview.
2.
Click on Add Sendergroup.
3.
Enter name ALLOWED_SPOOF
4.
Select the order such that it is placed just above WHITELIST.
5.
Select the newly created policy.
6.
Click on Submit and Add Senders.
7.
Add the IP addresses or hostnames of external servers from where you want to allow spoofed emails.
8.
Submit and Commit changes.

Please refer below document and article for creating message filter on ESA:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118145-technote-esa-00.html

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html


Cheers,
Pratham

Create
Recognize Your Peers
Content for Community-Ad