11-12-2021 03:15 AM
Hi all ,
it would be fine to help me out to understand using filters right:
First of all we implemented some outgoing filters via GUI which ends for mails in e.g. a quarantine.
So as some users a very fast in fill out phishing Emails it would be fine to create some rules that the ESA stop them asap .
For that i found script as here as seen below.
if header-repeats('subject',100,'outgoing') { notify('admin@xyz.com); } .
i entered this in the cli and see its active. Normally i do create a filter in the gui and apply this to a policy. How it is in this case? I cant see this filter in the gui is that really ok what i did?
Second -- now it´s only a notify .. is it possibly to quarantine them or a specified user where such mail floods come from?
How do you solve such issues?
Thanks a lot for help
Regards
Solved! Go to Solution.
11-15-2021 07:32 AM
02-17-2022 07:03 AM
05-17-2022 07:26 AM
Seems I steered you wrong...
All of the examples I've seen only have one recipient.... so you need two Notify commands.
notify('ourinternalmail@domain.com');
notify('$EnvelopeFrom');
Ken
11-12-2021 05:20 AM
11-15-2021 12:20 AM
Hi Ken,
thanks first of all. I have to read that because never used before.
So -do you know if in the short script above which found on cisco pages ... is subject any subject ? Or means that i have to enter a string for a subject? But in this case i dont understand how i should know a subject ... ( user credentials have been fished)
thanks a lot
best regards
S
11-15-2021 07:32 AM
11-16-2021 12:41 AM
Hello Ken,
thanks a lot for your answer. So if i understood right ..first of all i will check the functionality e.g. 100 Mails with same subject and notify as action...and if it works it should be possible to block the sender ?
Regards
Cyb
11-16-2021 01:58 PM
11-17-2021 12:35 AM
HI Ken,
thanks first ... let me explain the issue :
we see a lot of attacks in our company with fishing .. like there is an update in Office please insert your credentials ...
and it seems someone walks for sure in this trap
Then the see a big amount of outgoing Mails (SpAm ) and for sure after a short time we are blacklisted. So not to run in that situation my intension is to stop asap such massive mails . A email as notify is first step .. but in case that such floods are at weekend or in late night hour.
Best would be set a border as outgoing mails via subject (normally not known) or sender and if the limit is reached to block the sender and send the mails outgoing in a special quarantine.
Is such a constellation possible and best practice ?
Thanks for your advanced help
11-18-2021 07:56 AM - edited 11-18-2021 07:58 AM
In addition to my previos post.. i tested with
Header_Repeat_10_info: if header-repeats('subject',10,'outgoing') { notify('xyz@xyz.com'); } .
then sent a message from myself to 10 recipients with same subject.. but nothing happens ... i got no mail... could it be that i have to enter the xyz mail in alert with informational status? or why it didnt work?
checked via sma ... no mail went out to xyz in this period
02-17-2022 02:55 AM
Hi Ken,
sorry for late reply. It worked and now after testing time we are ok with that.
But one thing perhaps you or anyone could help me :
Is it possible to send the notify mails to the admin mail and ALSO to the Envelope Sender set as Variable
like : notify ("abadmin@xyz.de" , "Envelope-Sender" ) ;
Thanks and Regards
02-17-2022 07:03 AM
02-17-2022 07:44 AM
HI Ken,
thanks a lot . The Code was accepted, so i think it will work, but i have an eye on it.
Best Regards
05-17-2022 01:19 AM
Hi Ken,
as we noticed now it seems not to work complete. We get the infomail but not the sender ..so he is not informed that something is checked in background
notify('ourinternalmail@domain.com','$EnvelopeFrom');
do you have an idea or see an error in my code?
Thanks a lot
Regards
05-17-2022 07:26 AM
Seems I steered you wrong...
All of the examples I've seen only have one recipient.... so you need two Notify commands.
notify('ourinternalmail@domain.com');
notify('$EnvelopeFrom');
Ken
05-19-2022 05:30 AM
Hi Ken,
thanks a lot for your fast help! Great.. i will test it ..but i thinking it will work..
Great
Regards
Stefan
02-02-2023 04:50 AM
Hi Ken,
in additional to this for us great filter, i wonder if its possible to except some mails (whitelisting) ... so if some alarm should be sent (example to a service provider for some special machines) this wouldnt be great if they hang up in this filter.
is that possible ? Have you an idea if so?
Thanks a lot
Regards
Cyb
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide