Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2503
Views
5
Helpful
5
Replies

False positives in processing emails matching Forged Email Detection filter by ESA

zheka_pefti
Level 2
Level 2

‎03-11-2021 10:50 AM - edited ‎03-11-2021 10:53 AM

Hello folks,

We are immensely frustrated and inundated by spoofed emails coming from gmail originating as if from company executives. Clearly it is a famous CEO fraud and we followed Cisco's recommendation to block with a dictionary with names of executives and content filter using forged email detection module. But once we configured it we ran into a whole lot of other problems. Lots of legitimate emails are now stopped by the policy filter. They are all false positives. I'm giving an example, here's an extract from the dictionary. There's a line in the dictionary file with a name, i.e. "Christine Mohr", I had it without quotes, with single quotes and double quotes, no difference at all. I even have checked "Match whole words" box for this dictionary

The rule under incoming content filter looks like this:

forged-email-detection("Executives_Forged_Email_Detection", 70, "") where "Executives_Forged_Email_Detection" is the name of the dictionary.

Emails that we see in the policy quarantine  come from a person with a totally different name, here's an example (I'm masking the real email address)

 

X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,238,1610438400";
d="pdf'?scan'208,217";a="3881128"
X-Original-From: Christina mould <XXXXXXXXX@gmail.com>
From: XXXXXXXX@gmail.com
X-FED: Match

 

Email security appliance for some reason matches this email with a filter "Christine Mohr". Why ? This is killing me and ruins our life and creates lots of problems for other staff members.

 

 

Labels:
5 Replies 5

Ken Stieers
VIP
VIP

‎03-11-2021 10:54 AM

70 is way too low...

Turn it up to 80, see how it goes, then 90....



I'm currently running at 93.






0 Helpful

zheka_pefti
Level 2
Level 2
In response to Ken Stieers

‎03-11-2021 11:18 AM

Appreciate your advice, but how is related to false positives I described ? Will it not become more aggressive if I put it higher ?

0 Helpful

Ken Stieers
VIP
VIP
In response to zheka_pefti

‎03-11-2021 11:29 AM

The higher the number the closer the match has to be for FED to fire.
0 Helpful

zheka_pefti
Level 2
Level 2
In response to Ken Stieers

‎03-11-2021 12:43 PM

Ok, I get it. So, this value can be treated as accuracy ? I wonder what happens if I set it to 100?

Will try to experiment anyways, thanks, if it is the root cause of those false positives

0 Helpful

Ken Stieers
VIP
VIP
In response to zheka_pefti

‎03-11-2021 01:52 PM

At 100 its more or less only going to match on perfect matches.

If the name in your dictionary is "Tim Jones" and you get a mail from "Timothy Jones", you probably want that to be considered a match.

At 100, that wouldn't hit.



Ken




0 Helpful
Customers Also Viewed These Support Documents