cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2558
Views
10
Helpful
6
Replies

Forged Email Detection Question

Jessica Cochran
Level 1
Level 1

We have a Dictionary setup with all of our Executives on it to protect us from receiving emails from people pretending to be our executives and this works great. I was wondering if it would be possible to do something like this with all users in our GAL? We sync with LDAP but I haven't been able to figure out a way to create a rule with this information? Is it possible?

 

Right now the Executives are added to a Dictionary and then associated with an Incoming Content Filter

 

Any advice would be greatly appreciated


Thank you
Jessie

1 Accepted Solution

Accepted Solutions

So I have proposed this when I was in a beta.

I think there's a feature that does this coming, but I can't speak to when...



Other than adding your users to the dictionary, there isn't really a way to do this.

I have a query built against our intranet that I use to populate the dictionary. I grab HR, IT, Accounting and directors and above...




View solution in original post

6 Replies 6

marc.luescherFRE
Spotlight
Spotlight

How many users would you have in your GAL ?

This defines your options.

We have approximately 3500 Email Users. 

So I have proposed this when I was in a beta.

I think there's a feature that does this coming, but I can't speak to when...



Other than adding your users to the dictionary, there isn't really a way to do this.

I have a query built against our intranet that I use to populate the dictionary. I grab HR, IT, Accounting and directors and above...




My thought was maybe I should at least add Director or Manager and above to a dictionary. 

Just wanted to be sure I wasn't missing something obvious  

You did all right

svgeorgi
Cisco Employee
Cisco Employee

The idea of FED is to protect employees of spoofed high level persons in the same organization - those are people with authority and are authorized to give orders out, including financial ones. So FED is comparing the username part of the email address for similarity with records defined in a dictionary. When you put too many names in that dictionary though, you'll most likely start receiving false positives, and will have many high level people frustrated.

That's the reason why it is not a good strategy to use FED for a big group of people.

Instead an anti-spoofing message filter can be (if it's not yet) configured to do something else - to compare the envelope sender and the From header and most specifically the domain part of them with a dictionary in which your own domains are defined. If such email is not coming from your internal mail server such "spoofed" emails should be dropped in general.

Another thing that can be done is to configure a filter which will check the if the message are coming from authorized servers (SPF check) or if they are signed properly (DKIM) by their senders.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: