Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3985
Views
5
Helpful
5
Replies

Filter by reply-to

Go to solution
daniel larsen
Level 1
Level 1

‎02-27-2015 09:15 AM

Hello,

Has anyone had any luck with filtering by reply-to addresses? I have some legit emails from bulk mail senders mixed in with obvious spam and wanted to see if anyone had done this. I check out the manual, it mentions it....but not in the context of what I am trying today. AsyncOS version 8.5.6. Thanks! 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Bob Fayne
Level 1
Level 1

‎03-02-2015 08:22 AM

You can also filter on a Reply-To with content filters, just use the "Other Header" condition and specify Reply-To as the Header Name.

 

As for effectiveness, I think you'll find that Reply-To is not that great to filter on unless there are some specific strings that you want to look for. There are a lot of legit reasons for a Reply-To header to exist so filtering on just the fact that it is there will drive up your false positive rate.

 

View solution in original post

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎03-03-2015 01:50 PM

Hey Daniel,

 

Could you let us know what you're planning to filter with on the 'reply-to' headers within Emails?

Some mail servers do not always add a 'Reply-To' header and some will. So you may not always be able to filter the header.

But if you wanted to remove the Reply-To header completely or change it to a different Reply-To then you can do so using filters.

 

Attached is an example of myself,  stripping the Reply-To header and replacing it with a different Reply-To header.

I then did a manual injection to replicate as well in the instance a Reply-To header is inserted by the Mail server on mail transmission.

 

Key point to note: Reply-To header can be spoofed, so to action ALL reply to header, it may be best to use the rule if Reply-To header exists, strip and edit or so, but in my case i wanted to provide a distinctive match

 


ReplyToHeader:
if (Header('Reply-To')=="matt@lee.com")
{
strip-header("Reply-To");
insert-header("Reply-To","masked");
}
.


C370.lab> telnet 1.1.1.1 25

Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
220 370inbound.lab ESMTP
EHLO test.com
250-370inbound.lab
250-8BITMIME
250 SIZE 209715200
mail from:<matt@lee.com>
250 sender <matt@lee.com> ok
rcpt to:<matt@lab.com>
250 recipient <matt@lab.com> ok
data
354 go ahead
From: Matt@lee.com
To: Mathuynh@cisco.com
Reply-To: matt@lee.com
Subject: Test Reply To mask

Test 1
.
250 ok:  Message 384 accepted
^]

 

 

---
Reply-To: <masked@lab.com>
Received: from unknown (HELO test.com) ([1.1.1.1])  by 370inbound.lab
 with ESMTP; 28 Feb 2015 12:35:27 +1100
From: <Matt@lee.com>
To: <Matt@lab.com>
Subject: Test Reply To mask
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: matt@lee.com
---

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Bob Fayne
Level 1
Level 1

‎03-02-2015 08:22 AM

You can also filter on a Reply-To with content filters, just use the "Other Header" condition and specify Reply-To as the Header Name.

 

As for effectiveness, I think you'll find that Reply-To is not that great to filter on unless there are some specific strings that you want to look for. There are a lot of legit reasons for a Reply-To header to exist so filtering on just the fact that it is there will drive up your false positive rate.

 

0 Helpful

Go to solution
daniel larsen
Level 1
Level 1
In response to Bob Fayne

‎03-03-2015 01:48 PM

Thanks for the information, I was looking to whitelist certain emails from a vendor that uses a common bulk mail service that has a poor reputation. I'll take a look at it and get back you.

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to daniel larsen

‎03-03-2015 04:54 PM

Hello Daniel,

 

For 'whitelisting' senders who has poor reputation, this needs to be done at SMTP connection level; else reputation will block it before it hits the filters/policies.

 

So this would be done in GUI > Mail Policies > HAT overview

If your WHITELIST avoids SBRS scanning (by default it may even bypass spam scanning) and you want to allow spam scanning, I suggest.

 

Create a new sendergroup

Name it something meaningful to you

Order it "Above BLACKLIST" so the number will vary on the number of sendergroups you have.

Policy to use -> Accepted

Leave the rest blank and click on "add senders"

Here, remember to not use domain names, there is a common misconception here.

As HAT overview is SMTP connection level, you'll need to add the SMTP server hostname or IP that you would like to allow through the ESA to avoid reputation blocking.

 

 

Regards,

Matthew

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎03-03-2015 01:50 PM

Hey Daniel,

 

Could you let us know what you're planning to filter with on the 'reply-to' headers within Emails?

Some mail servers do not always add a 'Reply-To' header and some will. So you may not always be able to filter the header.

But if you wanted to remove the Reply-To header completely or change it to a different Reply-To then you can do so using filters.

 

Attached is an example of myself,  stripping the Reply-To header and replacing it with a different Reply-To header.

I then did a manual injection to replicate as well in the instance a Reply-To header is inserted by the Mail server on mail transmission.

 

Key point to note: Reply-To header can be spoofed, so to action ALL reply to header, it may be best to use the rule if Reply-To header exists, strip and edit or so, but in my case i wanted to provide a distinctive match

 


ReplyToHeader:
if (Header('Reply-To')=="matt@lee.com")
{
strip-header("Reply-To");
insert-header("Reply-To","masked");
}
.


C370.lab> telnet 1.1.1.1 25

Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
220 370inbound.lab ESMTP
EHLO test.com
250-370inbound.lab
250-8BITMIME
250 SIZE 209715200
mail from:<matt@lee.com>
250 sender <matt@lee.com> ok
rcpt to:<matt@lab.com>
250 recipient <matt@lab.com> ok
data
354 go ahead
From: Matt@lee.com
To: Mathuynh@cisco.com
Reply-To: matt@lee.com
Subject: Test Reply To mask

Test 1
.
250 ok:  Message 384 accepted
^]

 

 

---
Reply-To: <masked@lab.com>
Received: from unknown (HELO test.com) ([1.1.1.1])  by 370inbound.lab
 with ESMTP; 28 Feb 2015 12:35:27 +1100
From: <Matt@lee.com>
To: <Matt@lab.com>
Subject: Test Reply To mask
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: matt@lee.com
---

0 Helpful

Go to solution
daniel larsen
Level 1
Level 1
In response to Mathew Huynh

‎03-03-2015 01:50 PM

That's pretty neat sir, I will keep this in mind. Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents