cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1268
Views
4
Helpful
7
Replies

False positives on spoofing policies

sponder01
Level 1
Level 1

Hi all,

We have a pair of ESA's and an MSA in our environment and I'm looking for suggestions on how to battle spoofing false positives from when our internal domain sends to another domain, which is auto forwarded to users back in the originating domain.

For example:

Jsmith@mail1.com sends to admin@mail2.com.

admin@mail2.com(a distribution group) contains bob@mail1.com and john@mail1.com and auto forwards the email.

The ESA sees the sender is jsmith@mail1.com and then the spoofing policy is applied.

It would be preferred not to exclude jsmith from all spoofing, just exclude emails sent from our domain for auto forwards.

I was thinking of maybe applying a header on outgoing mail for

X-blahblahblah:bypass

and check for this.

Has anyone else come across this issue? Suggestions, questions, comments...

Thanks an advance.

Sam

7 Replies 7

Mathew Huynh
Cisco Employee
Cisco Employee

Hey  Sam,

I may not be completely clear in your internal setup.

But to create an allowance for emails coming from your internal domain out to avoid the anti-spoof because if the email is internal going out to another domain, it should not be considered a spoof.

So what you could do (again as i do not know what is your current antispoof filter setup and also configuration) is create or edit your filter setup and put in a rule where if the email is coming from your exchange (internal to external) to not be matched against this filter.

Of if the email is matching (checking on message tracking) RELAYLIST  or so you can add (if you're using a message filter)  the condition to exclude anything that matches RELAYLIST against the spoofing policy.

If I could get some more information, I could attempt to assist you further.

Thanks!

Regards,

Matthew

Thanks for the reply Matthew.

Here is a little bit more on how we are configured. I want to disclaimer it also, by stating that the person who set it up is no longer with us.

-------------------------

Incoming Mail Policy

We have a spoof policy that all senders ( @mail1.com ) apply to.

an incoming content filter is then applied for one or more of the following conditions

      • mail-from == "@mail1.com$"
      • header("From") == "@mail1\\.com"

When a condition is true, it notes it in the log, sends me an email notification and drops it in the central quarantine.

-------------------------

I've attached the email headers of a test email that fell under the policy. 


What I have done to assist in the false positives for this scenario is:

  • I created a dictionary list with the email addresses of remote email addresses with auto forwards back to @mail1.com.
  • I then created an outbound policy and filter that if an outgoing message recipient is on the dictionary list, it adds a custom header.
  • on the inbound... if said custom header exists... skips spoofing policy

I'm sure there is a better way... it's pretty low maintenance after the initial catch for spoofing.

-Sam

Hi Sam,

As we are looking to set an exception for the spoofing filter based on the email that went out from mail1 and not necessarily what is coming in (which is the usual case) we would need to identify these emails using a filter when they are on the way out.

---------------------------------------------------------------------------------
Having said that, under normal scenarios exceptions are normally created by determining a common trusted value for these emails such as the server IP generating the emails inbound or any other value which can be checked when the email is injected back as an incoming email.

---------------------------------------------------------------------------------

The workaround you have in place makes the most sense considering the information available on the scenario.

The outgoing filter would check the dictionary and insert a header which can be used as an exception when the email is auto-forwarded back to the original domain.

---------------------------------------------------------------------------------

Email from mail1 goes out to mail2
mail2 matches the outgoing content filter and inserts the custom header.

mail2 auto-forwards back to mail1

---------------------------------------------------------------------------------

Incoming filter skips checking for spoofed email based on the header being present.

---------------------------------------------------------------------------------

The only other easier method would be if we had a common sender server IP which can be used to set the exception as.


Thanks!

Regards,
Libin

Libin...

like using the 

"x-originating-ip: [192.168.1.1]"  

or

X-SOURCE-IP: [1.1.1.1]

??

Sam,

The content/message filters allow for a condition like below

remote-ip == "192.168.1.1"

-- Libin

I'm testing with the remote-ip filter... won't that require entering the IP's of every remote mail server of the domains that auto-forward back to mail1.com?

I was able to get it to work using the message-id contains "@exchange_server" or using the "x-originating-ip" headers.

Both of these methods with allow me to ignore emails the are generated from our domain, sent externally and auto-forwarded back to our domain.

Libin and Matthew, Thank you for helping me think more about the process.

Yes, the remote-ip method would require adding multiple IP's if multiple domains are auto-forwarding.

I checked online to see if there was any other method available to distinguish auto-forwards from regular emails however it does not appear to have much to distinguish on that basis.

Glad to hear the message-id and originalting-ip options tested correctly for you.

Libin 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: