|Product Support||Talos Support||Cisco Support||Reference +||Current Release|
|Gateway||Reputation Lookup||Open a support case||Secure Email Guided Setup|
|Cloud Gateway||Email Status Portal||Support & Downloads||docs.ces.cisco.com|
|Email and Web Manager||Web & Email Reputation||Worldwide Contacts||Product Naming Quick Reference|
|Cloud Mailbox||Notification Service|
We have a Dictionary setup with all of our Executives on it to protect us from receiving emails from people pretending to be our executives and this works great. I was wondering if it would be possible to do something like this with all users in our GAL? We sync with LDAP but I haven't been able to figure out a way to create a rule with this information? Is it possible?
Right now the Executives are added to a Dictionary and then associated with an Incoming Content Filter
Any advice would be greatly appreciated
Solved! Go to Solution.
My thought was maybe I should at least add Director or Manager and above to a dictionary.
Just wanted to be sure I wasn't missing something obvious
The idea of FED is to protect employees of spoofed high level persons in the same organization - those are people with authority and are authorized to give orders out, including financial ones. So FED is comparing the username part of the email address for similarity with records defined in a dictionary. When you put too many names in that dictionary though, you'll most likely start receiving false positives, and will have many high level people frustrated.
That's the reason why it is not a good strategy to use FED for a big group of people.
Instead an anti-spoofing message filter can be (if it's not yet) configured to do something else - to compare the envelope sender and the From header and most specifically the domain part of them with a dictionary in which your own domains are defined. If such email is not coming from your internal mail server such "spoofed" emails should be dropped in general.
Another thing that can be done is to configure a filter which will check the if the message are coming from authorized servers (SPF check) or if they are signed properly (DKIM) by their senders.