03-11-2021 10:50 AM - edited 03-11-2021 10:53 AM
Hello folks,
We are immensely frustrated and inundated by spoofed emails coming from gmail originating as if from company executives. Clearly it is a famous CEO fraud and we followed Cisco's recommendation to block with a dictionary with names of executives and content filter using forged email detection module. But once we configured it we ran into a whole lot of other problems. Lots of legitimate emails are now stopped by the policy filter. They are all false positives. I'm giving an example, here's an extract from the dictionary. There's a line in the dictionary file with a name, i.e. "Christine Mohr", I had it without quotes, with single quotes and double quotes, no difference at all. I even have checked "Match whole words" box for this dictionary
The rule under incoming content filter looks like this:
forged-email-detection("Executives_Forged_Email_Detection", 70, "") where "Executives_Forged_Email_Detection" is the name of the dictionary.
Emails that we see in the policy quarantine come from a person with a totally different name, here's an example (I'm masking the real email address)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,238,1610438400";
d="pdf'?scan'208,217";a="3881128"
X-Original-From: Christina mould <XXXXXXXXX@gmail.com>
From: XXXXXXXX@gmail.com
X-FED: Match
Email security appliance for some reason matches this email with a filter "Christine Mohr". Why ? This is killing me and ruins our life and creates lots of problems for other staff members.
03-11-2021 10:54 AM
03-11-2021 11:18 AM
Appreciate your advice, but how is related to false positives I described ? Will it not become more aggressive if I put it higher ?
03-11-2021 11:29 AM
03-11-2021 12:43 PM
Ok, I get it. So, this value can be treated as accuracy ? I wonder what happens if I set it to 100?
Will try to experiment anyways, thanks, if it is the root cause of those false positives
03-11-2021 01:52 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide