02-05-2018 10:37 PM - edited 03-08-2019 07:32 PM
Hello,
Some of my users received a phishing email, the email looks like below.
From: my-domain.com <admin@bad-domain.com>
Is there a way that we can filter the "From: my-domain.com"in the Content Filter?
Thanks.
02-05-2018 10:44 PM
You can certainly use the "Other Header" condition available under content filter.
Header Name: From
Condition: Contains
Value: my-domain.com
If you would like to look at only the start of the header the value can be preceded with "^" which signifies begins with in regex terms.
^my-domain.com = begins with my-domain.com
Using just my-domain.com essentially looks for this value anywhere in the From header value.
Regards,
Libin Varghese
02-06-2018 12:37 AM
Hi,
- make a new Dictionary with your company-domains inside (match whole words).
- make a new Incoming Content Filter like "detect from spoof"
- Condition: Other Header, Header Name: From, Header value contains term in content directory -> your new Dictionary (with domains)
- second condition: Envelope Recipient: Contains term in content dictionary -> your new Dictionary (with domains)
- IMPORTANT: Conditions -> Apply rules "Only if ALL conditions match"
- make a new Action: to suit your needs... I would mark them as spam in the first step to test the rules for false positives.
I suggest to make a second Content filter for spoofed mails in "From"and SMTP-Sender field like:
From: my-domain.com <admin@my-domain.com>
You will get this nasty spoofs too.
Same actions as above but additional:
- make a third condition: Envelope Sender: Contains term in content dictionary -> your new Dictionary (with domains)
- don´t forget: Conditions -> Apply rules "Only if ALL conditions match"
Regards.
Andreas Schreiber
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide