Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2718
Views
5
Helpful
1
Replies

compare envelope senders and message id headers in ironport

AsepRizkiKhoeisman1481
Level 1
Level 1

‎02-10-2020 05:11 AM

is possible to compare envelope senders and message id headers on ironport? 

I need this to prevent email spoofing. because a few weeks ago, I got an email with a different envelope sender and message id header in it.

Labels:
0 Helpful
1 Reply 1

ppreenja
Cisco Employee
Cisco Employee

‎02-10-2020 05:41 AM - edited ‎02-10-2020 05:46 AM

Hi,

 

Currently, comparison of two headers are not possible in ESA and we have below enhancement request in place for the same:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb97836


To prevent email spoofing, I would recommend you to use below message filter on your ESA appliance:

Here is the sample filter you can use:
==============
Anti_Spoofing: if (sendergroup != "RELAYLIST") AND (Sendergroup != "ALLOWED_SPOOF")
{
if ((header("From")== "(?i)@domain\\.com") OR (mail-from=="(?i)@domain\\.com$"))
{
quarantine("Policy");
}
}
.
==============

Please note that this is a sample message filter. Please change it as per your requirements.

Where domain.com is your internal domain and ALLOWED_SPOOF is a sendergroup you need to create for exceptions and add IP addresses you want to allow for spoofing (if any).

Steps to create a sendergroup.
1.
Go to Mail Policies>> HAT Overview.
2.
Click on Add Sendergroup.
3.
Enter name ALLOWED_SPOOF
4.
Select the order such that it is placed just above WHITELIST.
5.
Select the newly created policy.
6.
Click on Submit and Add Senders.
7.
Add the IP addresses or hostnames of external servers from where you want to allow spoofed emails.
8.
Submit and Commit changes.

Please refer below document and article for creating message filter on ESA:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118145-technote-esa-00.html

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html


Cheers,
Pratham

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents