Solved: Re: Hi Ken,

Ken Stieers · ‎02-16-2017

Hey guys,

How is the Forged Email Detection score calculated? Is it a simple letter for letter percentage match?

I've got some inbound email that has close analogs to names in our list but are getting flagged by FED, and I need to know what effect changing the number will have.

Thanks,

Ken

Mohit Soni · ‎02-18-2017

Hi Ken,

You can review the mail_logs to get the similarity score.

Ex.:

Sun Feb 19 12:49:11 2017 Info: MID 439 Forged Email Detection on the From: header with score of 87, against the dictionary entry Mohit Soni

Thanks,

Mohit Soni

View solution in original post

Mohit Soni · ‎02-16-2017

Hi Ken,

The Forged Email Detection condition compares the From: header with the users in the content dictionary. During this process, depending on the similarity, the appliance assigns similarity score to each of the users in the dictionary.

FED condition is capable of handling slight deviations in the forged 'From: header'.

The following are some examples:

• If the From: header is <j0hn.sim0ns@example.com> and the content dictionary contains a user ‘John Simons,’ the appliance assigns a similarity score of 82 to the user.

• If the From: header is <john.simons@diff-example.com> and the content dictionary contains a user ‘John Simons,’ the appliance assigns a similarity score of 100 to the user.

• If the From: header is 'J0hn Sim0ns', 'J0hn Sim0n5' and the content dictionary contains a user ‘John Simons,’ the appliance assigns a similarity score of 76 to the user.

• If the From: header is 'Todd Weiss' and the content dictionary contains a user ‘John Simons,’ the appliance assigns a similarity score of 30 to the user.

• If the From: header is 'Cassi Maccarley' and the content dictionary contains a user ‘John Simons,’ the appliance assigns a similarity score of 25 to the user.

The higher the similarity score, the higher the probability that the message is forged. If the similarity score is greater than or equal to the specified threshold value, the filter action is triggered.

A score, above which the FED action will be triggered.

• Default similarity threshold is 70

• Admin can always tune the similarity threshold, for a value between 1 and 100.

Thanks,

Mohit Soni

Ken Stieers · ‎02-17-2017

That helps a lot... Is there a way for us to see what the scores are on specific mails so we can fine tune? A content filter variable I could add to a log action?

Mohit Soni · ‎02-18-2017

Hi Ken,

You can review the mail_logs to get the similarity score.

Ex.:

Sun Feb 19 12:49:11 2017 Info: MID 439 Forged Email Detection on the From: header with score of 87, against the dictionary entry Mohit Soni

Thanks,

Mohit Soni

patelc3 · ‎07-07-2021

Hey Mohit,

Do you know if we can get this information in the message tracking log output the SMA provides? We have alot of ESA and searching thru them all for scores is bit cumbersome.

Let us know?

Regards,

Chet

Greg Hopp · ‎03-09-2017

So to be clear, the formula counts the number of characters that matches between the fake entry and the content dictionary entry and divides by the original number of characters?

If true, then according to my math, the similarity scores should be 27 for Cassi and 36 for Todd. What am I missing?

Notes Administrator · ‎07-07-2017

Editing to say FED may not be working right now, but may be fixed in 10.0.2-020 (haven't upgraded yet)

CSCvb90531 discusses middle name issues as opposed to every single word in the dictionary, but hopefully fix covers both issues.

Definitely pre-10.0.2-020 - If your dictionary contains Paul Thomas, then any emails from paul@anydomain or thomas@ will = 100%

There are so many false positives it cannot be effectively used and becomes a non-security related feature. You may as well convert all sender addresses to the envelope sender and save any confusion of what may or may occur with a message.

Thu Jul 6 20:58:36 2017 Info: MID 136058934 Forged Email Detection on the From: header with score of 100, against the dictionary entry Paul Thomas
Thu Jul 6 20:58:36 2017 Info: MID 136058934 Custom Log Entry: Forged Email Detection - Sender: paul@xyzdomain.com - From: Paul <paul@xyzdomain.com>

Thu Jul 6 11:21:47 2017 Info: MID 135904577 Forged Email Detection on the From: header with score of 100, against the dictionary entry Paul Thomas
Thu Jul 6 11:21:47 2017 Info: MID 135904577 Custom Log Entry: Forged Email Detection - Sender: thomas@xyzdomain.com - From: thomas<thomas@xyzdomain.com>

kathleeb · ‎09-12-2017

Mohit Soni
Can you please clarify your statement "During this process, depending on the similarity, the appliance assigns similarity score to each of the users in the dictionary."

What formula is the appliance using to assign users a Similarity Score in the dictionary?
Please advise.
Thank you.

Ken Stieers · ‎09-12-2017

Ignore that last. I didn't realize you were in the thread...

I think it's doing something similar to what we proposed earlier... I don't think we'll get a completely straight answer. I do know that we had some get through when the from fold looked like this:

John Smith <John.Smith@company.com>

With "John Smith" in the dictionary....

They changed how that matching works in 11.0... it just keys on the name not the email address, or the name part if all they get is an email address. (Check the 11.x release notes)

kathleeb · ‎09-13-2017

Thanks Ken! Reviewing the 11.xx release notes was helpful.

FED confidence score?