Solved: Re: ESA Cluster filters / CLI vs GUI

cyberurmel · ‎11-12-2021

Hi all ,

it would be fine to help me out to understand using filters right:

First of all we implemented some outgoing filters via GUI which ends for mails in e.g. a quarantine.

So as some users a very fast in fill out phishing Emails it would be fine to create some rules that the ESA stop them asap .

For that i found script as here as seen below.

if header-repeats('subject',100,'outgoing')
{
notify('admin@xyz.com);
}
.

i entered this in the cli and see its active. Normally i do create a filter in the gui and apply this to a policy. How it is in this case? I cant see this filter in the gui is that really ok what i did?

Second -- now it´s only a notify .. is it possibly to quarantine them or a specified user where such mail floods come from?

How do you solve such issues?

Thanks a lot for help

Regards

Ken Stieers · ‎11-15-2021

It means any subject. That rule says your box sends 100 mails out, with the same subject, over the course of an hour, it will alert you...
Eg. this tells you if one of your users might be sending out spam...

View solution in original post

Ken Stieers · ‎02-17-2022

Try $EnvelopeFrom

View solution in original post

Ken Stieers · ‎05-17-2022

Seems I steered you wrong...

All of the examples I've seen only have one recipient.... so you need two Notify commands.

notify('ourinternalmail@domain.com');
notify('$EnvelopeFrom');

Ken

View solution in original post

Ken Stieers · ‎11-12-2021

This is a message filter.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117825-technote-esa-00.html?referring_site=RE&pos=3&page=https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/215301-working-with-message-filters.htm...

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/215301-working-with-message-filters.html?referring_site=RE&pos=2&page=https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/213940-esa-using-a-message...

In the pipeline they fire in the work queue, the box on the diagram on the page below is labeled "pre-policy filters"

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_011.html

It is possible to quarantine.
Use quarantine(‘quarantine_name’) as the action.

cyberurmel · ‎11-15-2021

Hi Ken,

thanks first of all. I have to read that because never used before.

So -do you know if in the short script above which found on cisco pages ... is subject any subject ? Or means that i have to enter a string for a subject? But in this case i dont understand how i should know a subject ... ( user credentials have been fished)

thanks a lot

best regards

S

Ken Stieers · ‎11-15-2021

It means any subject. That rule says your box sends 100 mails out, with the same subject, over the course of an hour, it will alert you...
Eg. this tells you if one of your users might be sending out spam...

cyberurmel · ‎11-16-2021

Hello Ken,

thanks a lot for your answer. So if i understood right ..first of all i will check the functionality e.g. 100 Mails with same subject and notify as action...and if it works it should be possible to block the sender ?

Regards

Cyb

Ken Stieers · ‎11-16-2021

The rule in your post is for outbound mail... so it may be a case of talking to the user to figure out what's going on... legitimate sales email? Virus?

cyberurmel · ‎11-17-2021

HI Ken,

thanks first ... let me explain the issue :

we see a lot of attacks in our company with fishing .. like there is an update in Office please insert your credentials ...

and it seems someone walks for sure in this trap

Then the see a big amount of outgoing Mails (SpAm ) and for sure after a short time we are blacklisted. So not to run in that situation my intension is to stop asap such massive mails . A email as notify is first step .. but in case that such floods are at weekend or in late night hour.

Best would be set a border as outgoing mails via subject (normally not known) or sender and if the limit is reached to block the sender and send the mails outgoing in a special quarantine.

Is such a constellation possible and best practice ?

Thanks for your advanced help

cyberurmel · ‎11-18-2021

In addition to my previos post.. i tested with

Header_Repeat_10_info: 
if header-repeats('subject',10,'outgoing')
{
notify('xyz@xyz.com');
}
.

then sent a message from myself to 10 recipients with same subject.. but nothing happens ... i got no mail... could it be that i have to enter the xyz mail in alert with informational status? or why it didnt work?

checked via sma ... no mail went out to xyz in this period

cyberurmel · ‎02-17-2022

Hi Ken,

sorry for late reply. It worked and now after testing time we are ok with that.

But one thing perhaps you or anyone could help me :

Is it possible to send the notify mails to the admin mail and ALSO to the Envelope Sender set as Variable

like : notify ("abadmin@xyz.de" , "Envelope-Sender" ) ;

Thanks and Regards

Ken Stieers · ‎02-17-2022

Try $EnvelopeFrom

cyberurmel · ‎02-17-2022

HI Ken,

thanks a lot . The Code was accepted, so i think it will work, but i have an eye on it.

Best Regards

cyberurmel · ‎05-17-2022

Hi Ken,

as we noticed now it seems not to work complete. We get the infomail but not the sender ..so he is not informed that something is checked in background

notify('ourinternalmail@domain.com','$EnvelopeFrom');

do you have an idea or see an error in my code?

Thanks a lot

Regards

Ken Stieers · ‎05-17-2022

Seems I steered you wrong...

All of the examples I've seen only have one recipient.... so you need two Notify commands.

notify('ourinternalmail@domain.com');
notify('$EnvelopeFrom');

Ken

cyberurmel · ‎05-19-2022

Hi Ken,

thanks a lot for your fast help! Great.. i will test it ..but i thinking it will work..

Great

Regards

Stefan

cyberurmel · ‎02-02-2023

Hi Ken,

in additional to this for us great filter, i wonder if its possible to except some mails (whitelisting) ... so if some alarm should be sent (example to a service provider for some special machines) this wouldnt be great if they hang up in this filter.

is that possible ? Have you an idea if so?

Thanks a lot

Regards

Cyb