02-27-2015 09:15 AM
Hello,
Has anyone had any luck with filtering by reply-to addresses? I have some legit emails from bulk mail senders mixed in with obvious spam and wanted to see if anyone had done this. I check out the manual, it mentions it....but not in the context of what I am trying today. AsyncOS version 8.5.6. Thanks!
Solved! Go to Solution.
03-02-2015 08:22 AM
You can also filter on a Reply-To with content filters, just use the "Other Header" condition and specify Reply-To as the Header Name.
As for effectiveness, I think you'll find that Reply-To is not that great to filter on unless there are some specific strings that you want to look for. There are a lot of legit reasons for a Reply-To header to exist so filtering on just the fact that it is there will drive up your false positive rate.
03-03-2015 01:50 PM
Hey Daniel,
Could you let us know what you're planning to filter with on the 'reply-to' headers within Emails?
Some mail servers do not always add a 'Reply-To' header and some will. So you may not always be able to filter the header.
But if you wanted to remove the Reply-To header completely or change it to a different Reply-To then you can do so using filters.
Attached is an example of myself, stripping the Reply-To header and replacing it with a different Reply-To header.
I then did a manual injection to replicate as well in the instance a Reply-To header is inserted by the Mail server on mail transmission.
Key point to note: Reply-To header can be spoofed, so to action ALL reply to header, it may be best to use the rule if Reply-To header exists, strip and edit or so, but in my case i wanted to provide a distinctive match
ReplyToHeader:
if (Header('Reply-To')=="matt@lee.com")
{
strip-header("Reply-To");
insert-header("Reply-To","masked");
}
.
C370.lab> telnet 1.1.1.1 25
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
220 370inbound.lab ESMTP
EHLO test.com
250-370inbound.lab
250-8BITMIME
250 SIZE 209715200
mail from:<matt@lee.com>
250 sender <matt@lee.com> ok
rcpt to:<matt@lab.com>
250 recipient <matt@lab.com> ok
data
354 go ahead
From: Matt@lee.com
To: Mathuynh@cisco.com
Reply-To: matt@lee.com
Subject: Test Reply To mask
Test 1
.
250 ok: Message 384 accepted
^]
---
Reply-To: <masked@lab.com>
Received: from unknown (HELO test.com) ([1.1.1.1]) by 370inbound.lab
with ESMTP; 28 Feb 2015 12:35:27 +1100
From: <Matt@lee.com>
To: <Matt@lab.com>
Subject: Test Reply To mask
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: matt@lee.com
---
03-02-2015 08:22 AM
You can also filter on a Reply-To with content filters, just use the "Other Header" condition and specify Reply-To as the Header Name.
As for effectiveness, I think you'll find that Reply-To is not that great to filter on unless there are some specific strings that you want to look for. There are a lot of legit reasons for a Reply-To header to exist so filtering on just the fact that it is there will drive up your false positive rate.
03-03-2015 01:48 PM
Thanks for the information, I was looking to whitelist certain emails from a vendor that uses a common bulk mail service that has a poor reputation. I'll take a look at it and get back you.
03-03-2015 04:54 PM
Hello Daniel,
For 'whitelisting' senders who has poor reputation, this needs to be done at SMTP connection level; else reputation will block it before it hits the filters/policies.
So this would be done in GUI > Mail Policies > HAT overview
If your WHITELIST avoids SBRS scanning (by default it may even bypass spam scanning) and you want to allow spam scanning, I suggest.
Create a new sendergroup
Name it something meaningful to you
Order it "Above BLACKLIST" so the number will vary on the number of sendergroups you have.
Policy to use -> Accepted
Leave the rest blank and click on "add senders"
Here, remember to not use domain names, there is a common misconception here.
As HAT overview is SMTP connection level, you'll need to add the SMTP server hostname or IP that you would like to allow through the ESA to avoid reputation blocking.
Regards,
Matthew
03-03-2015 01:50 PM
Hey Daniel,
Could you let us know what you're planning to filter with on the 'reply-to' headers within Emails?
Some mail servers do not always add a 'Reply-To' header and some will. So you may not always be able to filter the header.
But if you wanted to remove the Reply-To header completely or change it to a different Reply-To then you can do so using filters.
Attached is an example of myself, stripping the Reply-To header and replacing it with a different Reply-To header.
I then did a manual injection to replicate as well in the instance a Reply-To header is inserted by the Mail server on mail transmission.
Key point to note: Reply-To header can be spoofed, so to action ALL reply to header, it may be best to use the rule if Reply-To header exists, strip and edit or so, but in my case i wanted to provide a distinctive match
ReplyToHeader:
if (Header('Reply-To')=="matt@lee.com")
{
strip-header("Reply-To");
insert-header("Reply-To","masked");
}
.
C370.lab> telnet 1.1.1.1 25
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
220 370inbound.lab ESMTP
EHLO test.com
250-370inbound.lab
250-8BITMIME
250 SIZE 209715200
mail from:<matt@lee.com>
250 sender <matt@lee.com> ok
rcpt to:<matt@lab.com>
250 recipient <matt@lab.com> ok
data
354 go ahead
From: Matt@lee.com
To: Mathuynh@cisco.com
Reply-To: matt@lee.com
Subject: Test Reply To mask
Test 1
.
250 ok: Message 384 accepted
^]
---
Reply-To: <masked@lab.com>
Received: from unknown (HELO test.com) ([1.1.1.1]) by 370inbound.lab
with ESMTP; 28 Feb 2015 12:35:27 +1100
From: <Matt@lee.com>
To: <Matt@lab.com>
Subject: Test Reply To mask
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: matt@lee.com
---
03-03-2015 01:50 PM
That's pretty neat sir, I will keep this in mind. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide