Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3518
Views
0
Helpful
11
Replies

Content Filter to check for Reply-To mismatch is always triggered

Go to solution
MiguelAngelChana23263
Level 1
Level 1

‎01-15-2021 06:05 AM

Hi:

 

I have a strange issue that honestly I don't know how to solve.

Before opening a case I'm asking here to check if anybody can shed some light on it, I guess the problem is me.

 

In default policy I have a content filter with the following rules (both of the conditions must be true)

 

Other Header Reply-To exists

Header Reply-To does not equal $envelopesender

 

And actions:

Log

Quarantine-duplicate

Add Disclaimer text

 

 

Whenever I enable this filter in the default policy ALL of the messages with a reply-to header match the filter and get duplicated to quarantine and disclaimer text added, no matter if the reply-to is the same or different to the envelopesender

 

I tried several things like use "does not contain" instead of "does not equal" and using $envelopefrom instead of $envelopesender, but without luck. Is there something obvious I'm missing? I've seen examples of doing this everywhere, and it sounds to me that it's correct

 

Another test I did is to put the content filter in another policy, and apparently it works fine, it's happening when the filter is in the default. Any idea?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MiguelAngelChana23263
Level 1
Level 1
In response to marc.luescherFRE

‎01-19-2021 04:37 AM

I just received the answer from TAC: apparently it is not supported, because in message/content filters the system cannot compare two variables. 

 

Would you do me a favour and check if this effectively working in your environment? I honestly don't know what to think, because this is something I've considered possible for some time and not it surprised me a lot. 

View solution in original post

0 Helpful
11 Replies 11

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎01-15-2021 07:01 AM

Hi Miguel,

 

our working sample is like this :

 

GUI_Check_From_ReplyTo: if (rcpt-to == "marc.luescher@fmc-na.com") AND (header("reply-to")) AND (header("reply-to") != "^$envelopefrom$") { add-heading("External_Warning_ReplyTo"); add-heading("External_Warning_ReplyTo_Fields"); insert-header("X-Ironport-Spoof", "yes"); }

 

Please check and let me know if that helps.

 

-Marc

0 Helpful

Go to solution
MiguelAngelChana23263
Level 1
Level 1
In response to marc.luescherFRE

‎01-15-2021 08:39 AM

Marc:
Thank you, but this is more or less what I’m doing, and I can’t make any sense of it. Simplifying to the maximum:
GUI_REPLY-TO-FLT2: if (header(“reply-to”)) AND (header(“reply-to”) != “^$envelopefrom$”) {
add-heading(“REPLY-TO_MISMATCH”);
}
Message filter and content filter look like they are doing the same, it always matches and add the disclaimer as long as it has a “reply-to” header, second condition is always matched, no matter if it’s true or not.. ☹
It looks like the comparison is not made with the machine readable part (the one between <>) but with the literal string that comes from the reply-to header.
I’m going to try with a regex that matches exactly what is coming in the reply-to header, and see what happens
0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to MiguelAngelChana23263

‎01-15-2021 08:55 AM

What are your settings in mail policies / mail policy settings.

Do you have P1 and P2 visible ?

0 Helpful

Go to solution
MiguelAngelChana23263
Level 1
Level 1
In response to marc.luescherFRE

‎01-15-2021 09:07 AM

I have P1 = Envelope Sender and P2 = Headers (From, Reply-To, Sender)

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to MiguelAngelChana23263

‎01-15-2021 09:15 AM

what ESA Release are you running ?

0 Helpful

Go to solution
MiguelAngelChana23263
Level 1
Level 1
In response to marc.luescherFRE

‎01-15-2021 09:43 AM

13.5.1-071
I found this in production when the customer spotted a lot of false positives. Now I'm using a lab in dcloud, but the behavior is the same.
0 Helpful

Go to solution
MiguelAngelChana23263
Level 1
Level 1
In response to MiguelAngelChana23263

‎01-15-2021 09:23 AM

It does not matter priorities, the only thing I can come to is the following:

 

Have sender "someguy@domain.com" 

Sends from Outlook and inserts header Reply-To: Some Guy <someguy@domain.com>

 

When message arrives, filter compares "someguy@domain.com" (the $envelopefrom variable) with "Some Guy <someguy@domain.com>" and fails, so the rule is true and all the conditions match.

 

I just tested the following: configure second rule to compare estrictly to "Some Guy <someguy@domain.com>" instead of $envelopefrom and now it matches, so second rule it's false and won't insert the heading ... It's very strange for me. 

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to MiguelAngelChana23263

‎01-15-2021 10:26 AM

let me think about this as we use the same sw version in production and it is working as expected

0 Helpful

Go to solution
MiguelAngelChana23263
Level 1
Level 1
In response to MiguelAngelChana23263

‎01-15-2021 12:02 PM

Thank you very much, that will be very helpful. In the meanwhile, this is the last test I've made. I inserted a couple of variables in the disclaimer text to try and see what's going on:
Plain Text Version:
REPLY-TO MISMATCH
SENDER: $EnvelopeFrom
FILTER:$Filtername
HEADER: $header['reply-to']
Then I send a message with the following reply-to header:
Reply-To: Peter Griffin peterg@dcloud-out.cisco.com
And I get the following message:
REPLY-TO MISMATCH
SENDER: peterg@dcloud-out.cisco.com
FILTER: GUI_REPLY-TO_FLT2
HEADER: Peter Griffin
As you see, out of the address in the header, the filter it's only taking the display address, not the machine readable part between <> so it's impossible that they match

0 Helpful

Go to solution
MiguelAngelChana23263
Level 1
Level 1
In response to marc.luescherFRE

‎01-19-2021 04:37 AM

I just received the answer from TAC: apparently it is not supported, because in message/content filters the system cannot compare two variables. 

 

Would you do me a favour and check if this effectively working in your environment? I honestly don't know what to think, because this is something I've considered possible for some time and not it surprised me a lot. 

0 Helpful

Go to solution
REJR77
Level 1
Level 1
In response to MiguelAngelChana23263

‎12-20-2022 09:10 AM

Hi Miguel,

Were you able to find a solution for that?

I am trying to compare mail-from (sender address) with from header, to advertise end user if both are different.

Impossible to compare (as if ESA does not understand the $envelopefrom variable in may filter)

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents