Re: Display Name filter

SUKAFUN · ‎03-12-2019

Hi Everyone. This is my first post in Cisco Community hope you are able to help me :)

I'm now looking after our company Ironport email appliances which I'm still learning about them.

My first task is to create kind of a filter that looks into the display name of an email (not the email address FROM) and if it doesn't match our domain name then flag as spam.

For example if someone receives email from John Smith domain.com.au and the sender domain name is different then flag the email. Remember that some external people change their display name and add your domain name and when an email arrives it appears as if it's coming from your domain. I'm not talking about domain spoofing we already have SPF record.

To make it simple I just want to find the right filter that checks if there's domain.com.au in the display name then I'll add the condition.

I read that I'll be able to ably this in filter message which happens before content filters however can't find the right filter syntax. I also found this filter in another Cisco Community link however it comes up as incorrect syntax: header("From") == "(?i)(domain.com.au)"

Cheers

Mo

balaji.bandi · ‎03-12-2019

For example if someone receives email from John Smith domain.com.au and the sender domain name is different then flag the email

From the above statement : couple of questions ?

1. is this email generating from inside or we discussing outside to inside.

2. So above example : if you already spoof protection in place, how this email get thorugh ?

3. Since you are the owner of domain.com.au, you have admin control to send and receive emails.

4. Explain how your email process path example ;

Outside to inside

Internet ----ESA----(Load Balancer)-Exchange

Inside to Outside

Exchange -----ESA---Inernet ?

here is the admin guide have couple snippets may help you :

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_01000.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SUKAFUN · ‎03-13-2019

Hi BB. Thanks for your response.

We are talking here about emails from outside going inside. In participial emails show up in Outlook as for example: John Smith (domain.com.au). Display name is shown above email subject. But the sender actual email address is baddomain.com.au so really it's just the sender adds domain.com.au into display name to trick recipient who thinks it's being sent from inside the company. If you actually have someone called John Smith inside of your organization as well as your domain is domain.com.au as shown in display name then chances are recipient will get fooled.

SPF or email protection won't do anything for this as display name can be anything.

See this I made up this example for you to make it clear to understand:

Our mail flow:

Internet > Ironport > Sophos > Exchange

and vise versa

SUKAFUN · ‎03-17-2019

Hi Guys. Anyone please able to help me?

Paul Thomas Cyblue · ‎03-18-2019

I think you have too many false positives to handle in the address permutations.

So your domain is domain.com
The friendly part of the email could be one of these at bottom.
- with many more imaginative permutations to consider.
- each raises a debate to trust or not trust, some easier to handle than others.

I would say it would be easier to drop the friendly part and just leave the Internet Address.
That way, you can leave it to Email Authentication to handle the rest and the user to decide on knowing the internet address being used.

But you could hedge your bets on refusing @ or brackets. I don't see how you can deal with dot.

Completely untested starter...could be done from Content Filters rather than Message Filters
if header("From") == "[()@].*<" {
edit-header-text("From", "^.*<", "<");
}

Paul Thomas <paul.thomas@domain.com>
Paul.Thomas <paul.thomas@domain.com>
Paul Thomas (microsoft.com) <paul.thomas@domain.com> <--- how do you know microsoft.com is not just io.chef application name / company name and not a domain name.
Paul.Thomas@microsoft.com <paul.thomas@domain.com>
"Paul.Thomas@microsoft.com" <paul.thomas@domain.com>
'Paul.Thomas@microsoft.com' <paul.thomas@domain.com>
Paul Thomas (@microsoft.com) <paul.thomas@domain.com>
Paul Thomas (paul.thomas@microsoft.com) <paul.thomas@domain.com>
"Paul Thomas (paul.thomas@microsoft.com)" <paul.thomas@domain.com>
'Paul Thomas (paul.thomas@microsoft.com)' <paul.thomas@domain.com>

SUKAFUN · ‎03-18-2019

Hi Paul. First thanks a lot for your response.

I'v read your comment several times trying to understand it. Correct me if I'm not right.

It doesn't look like there's a specific filter for the display name and looks like you are using the "from" header filter which basically combination of "mailto" and display name. Is this correct?

If this the case then you are right my best bet is to trigger the brackets or the @ character. Else it will be very hard to filter.

Paul Thomas Cyblue · ‎03-22-2019

Yes.
The only feature that looks specifically at the Display Name part of the From header is FED.
But this is working off 'closeness' to a Dictionary of names - that I can't be asked to have some automated scripted process to maintain. Not just a domain name that you are looking for.

You are right to use the (?i) as many forget this.
But also you need to double escape each dot in Message Filters
\\.
Otherwise its Regex for any character.

marc.luescherFRE · ‎04-04-2019

Hi Mo,

maybe another idea :

a) we tag every email which is coming from external in the subject line with [EXTERNAL EMAIL] beside this we insert a red header to warn user not click on any unknown URLs included in such emails.

b) emails which are sent by our service providers using our domain can come in and will not get tageed, assuming they pass all our authentication validations.

c) email which use our domain but are not in our trusted list are identifed as [SPOOFED EMAIL]. We removed the from, replyto and sentby adress and replace it with env from. In addition we insert a header into each email and display the displayed FROM, REPLY and SENTBY. This allows to an internal user to see that an email came from badspoofer@publicmail.com even when the from name displayed was CEO@your company. In most cases and when a message is sent to our VIPs we deleted such emails at this stage.

Hope that helps.

iscinteianu · ‎10-21-2020

We face the same issue, our message filter for AntiSpoofing doesn't "look" aparently in the display name part of the from header.

We know this the hard way, some e-mails passed and reached the user's inboxes.

How did you guys manage to solve this?

Ionut

marc.luescherFRE · ‎10-21-2020

Hi there,

can you check if under Mail Policies, Mail Policy settings the selectors for Header "From:" is set ?

Otherwise your filters check for senders only the Envelope Sender field.

I hope this helps

-Marc

iscinteianu · ‎10-21-2020

Thank you Marc!

I checked and only enabled is the Envelope Sender, i guess this is the default as i don't remember checking the Mail Policy Settings before :).

So, what it basically does? Checks only the Envelope Sender?

And if i check the other three, what may be the impact? I can't get the logic at the moment, need to document a bit.

Thx!

Ionut

marc.luescherFRE · ‎10-22-2020

If you create a mail policy which checks for senders by default will only check against the Sender field, only when you also select the other 3 options additional matching against FROM, REPLY-TO and SENDER(SentBy) will happen.

A content filter by default only checks against Sender which is the Sender field. A specific content filter checking for "from" would be like :

GUI_Check_From: if header("from") { log-entry("FROM-Header-Logging"); }