Re: Filter From Header

rab ngl · ‎02-05-2018

Hello,

Some of my users received a phishing email, the email looks like below.

From: my-domain.com <admin@bad-domain.com>

Is there a way that we can filter the "From: my-domain.com"in the Content Filter?

Thanks.

Libin Varghese · ‎02-05-2018

You can certainly use the "Other Header" condition available under content filter.

Header Name: From

Condition: Contains

Value: my-domain.com

If you would like to look at only the start of the header the value can be preceded with "^" which signifies begins with in regex terms.

^my-domain.com = begins with my-domain.com

Using just my-domain.com essentially looks for this value anywhere in the From header value.

Regards,

Libin Varghese

Andreas Schreiber · ‎02-06-2018

Hi,

- make a new Dictionary with your company-domains inside (match whole words).

- make a new Incoming Content Filter like "detect from spoof"

- Condition: Other Header, Header Name: From, Header value contains term in content directory -> your new Dictionary (with domains)

- second condition: Envelope Recipient: Contains term in content dictionary -> your new Dictionary (with domains)

- IMPORTANT: Conditions -> Apply rules "Only if ALL conditions match"

- make a new Action: to suit your needs... I would mark them as spam in the first step to test the rules for false positives.

I suggest to make a second Content filter for spoofed mails in "From"and SMTP-Sender field like:

From: my-domain.com <admin@my-domain.com>

You will get this nasty spoofs too.

Same actions as above but additional:

- make a third condition: Envelope Sender: Contains term in content dictionary -> your new Dictionary (with domains)

- don´t forget: Conditions -> Apply rules "Only if ALL conditions match"

Regards.

Andreas Schreiber