02-10-2020 05:11 AM
is possible to compare envelope senders and message id headers on ironport?
I need this to prevent email spoofing. because a few weeks ago, I got an email with a different envelope sender and message id header in it.
02-10-2020 05:41 AM - edited 02-10-2020 05:46 AM
Hi,
Currently, comparison of two headers are not possible in ESA and we have below enhancement request in place for the same:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb97836
To prevent email spoofing, I would recommend you to use below message filter on your ESA appliance:
Here is the sample filter you can use:
==============
Anti_Spoofing: if (sendergroup != "RELAYLIST") AND (Sendergroup != "ALLOWED_SPOOF")
{
if ((header("From")== "(?i)@domain\\.com") OR (mail-from=="(?i)@domain\\.com$"))
{
quarantine("Policy");
}
}
.
==============
Please note that this is a sample message filter. Please change it as per your requirements.
Where domain.com is your internal domain and ALLOWED_SPOOF is a sendergroup you need to create for exceptions and add IP addresses you want to allow for spoofing (if any).
Steps to create a sendergroup.
1.
Go to Mail Policies>> HAT Overview.
2.
Click on Add Sendergroup.
3.
Enter name ALLOWED_SPOOF
4.
Select the order such that it is placed just above WHITELIST.
5.
Select the newly created policy.
6.
Click on Submit and Add Senders.
7.
Add the IP addresses or hostnames of external servers from where you want to allow spoofed emails.
8.
Submit and Commit changes.
Please refer below document and article for creating message filter on ESA:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118145-technote-esa-00.html
https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html
Cheers,
Pratham
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide