Solved: ESA - Tag inbound emails as EXTERNAL

Mark Thorne · ‎01-23-2017

As everyone is, we are attempting to reduce the number of spoofed emails entering our environment. One step we want to take is to tag inbound emails with a subject prefix, such as EXT, so that users know that the email originated from outside our environment.

We are looking at implementing some inbound filters using the envelope sender and 'does not contain' option, where we would then list our internal domains.

Is this the best/most efficient way to identify these types of emails?

Thanks for the assistance.

Libin Varghese · ‎01-23-2017

Hi Mark,

You can add an inbound content filter with the below conditions.

Conditions:

subject != "[External Email]" --> the email subject do not already contain this subject.

mail-from != "domain\.com" --> the sender is not from the internal domain. (Optional depending on your current mail-flow if you allow emails from internal domain to be treated as inbound)

Action:
edit-header-text("Subject", "(.*)", "\\1 [External Email]"); (select prepends the subject with "[External Email]")

You would need to test and modify the rules based on your requirement.

Thanks
Libin Varghese

View solution in original post

Libin Varghese · ‎01-23-2017

Hi Mark,

You can add an inbound content filter with the below conditions.

Conditions:

subject != "[External Email]" --> the email subject do not already contain this subject.

mail-from != "domain\.com" --> the sender is not from the internal domain. (Optional depending on your current mail-flow if you allow emails from internal domain to be treated as inbound)

Action:
edit-header-text("Subject", "(.*)", "\\1 [External Email]"); (select prepends the subject with "[External Email]")

You would need to test and modify the rules based on your requirement.

Thanks
Libin Varghese

Mark Thorne · ‎01-24-2017

Thanks Libin...appreciate the quick response! We will definitely be trying out the filter!

Mark

Libin Varghese · ‎01-24-2017

Glad to help.

Libin V

Mark Thorne · ‎02-06-2017

Can this be done within the interface v. through the CLI? We try to maintain all of our filter sin the GUI if possible in order to maintain a better visual representation of what is occurring.

In looking at your example and the Incoming Content Filters, it looks like I could use the Add/Edit Header, under Add Actions. Then, Header Name 'Subject', and then enter [EXT] in the Prepend to the Value of Existing Header

Is this correct?

Thanks

Mark Thorne · ‎02-06-2017

Actually, after I clicked 'submit', this was the rule created:

edit-header-text("Subject", "(.*)", "[EXT]\\1")

So I believe this has answered my question, except that the \\1 is behind the prepended text of [EXT]. That seems to be the only difference.

Libin Varghese · ‎02-06-2017

Mark,

Yes the difference would be append adds \\1 in front and prepend adds \\1 behind it.

- Libin V

Mark Thorne · ‎02-06-2017

Awesome, thanks so much!

mark

Libin Varghese · ‎02-06-2017

Mark,

That is correct, this can be done using content filters as well.

Once you add the condition and click Ok it show the above syntax on the add content filter screen where I copied it from.

Thanks!

Libin V