cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1131
Views
10
Helpful
6
Replies
Jessica Cochran
Beginner

Forged Email Detection Question

We have a Dictionary setup with all of our Executives on it to protect us from receiving emails from people pretending to be our executives and this works great. I was wondering if it would be possible to do something like this with all users in our GAL? We sync with LDAP but I haven't been able to figure out a way to create a rule with this information? Is it possible?

 

Right now the Executives are added to a Dictionary and then associated with an Incoming Content Filter

 

Any advice would be greatly appreciated


Thank you
Jessie

1 ACCEPTED SOLUTION

Accepted Solutions
Ken Stieers
Engager

So I have proposed this when I was in a beta.

I think there's a feature that does this coming, but I can't speak to when...



Other than adding your users to the dictionary, there isn't really a way to do this.

I have a query built against our intranet that I use to populate the dictionary. I grab HR, IT, Accounting and directors and above...




View solution in original post

6 REPLIES 6
marc.luescherFRE
Enthusiast

How many users would you have in your GAL ?

This defines your options.

We have approximately 3500 Email Users. 

Ken Stieers
Engager

So I have proposed this when I was in a beta.

I think there's a feature that does this coming, but I can't speak to when...



Other than adding your users to the dictionary, there isn't really a way to do this.

I have a query built against our intranet that I use to populate the dictionary. I grab HR, IT, Accounting and directors and above...




View solution in original post

My thought was maybe I should at least add Director or Manager and above to a dictionary. 

Just wanted to be sure I wasn't missing something obvious  

You did all right

svgeorgi
Cisco Employee

The idea of FED is to protect employees of spoofed high level persons in the same organization - those are people with authority and are authorized to give orders out, including financial ones. So FED is comparing the username part of the email address for similarity with records defined in a dictionary. When you put too many names in that dictionary though, you'll most likely start receiving false positives, and will have many high level people frustrated.

That's the reason why it is not a good strategy to use FED for a big group of people.

Instead an anti-spoofing message filter can be (if it's not yet) configured to do something else - to compare the envelope sender and the From header and most specifically the domain part of them with a dictionary in which your own domains are defined. If such email is not coming from your internal mail server such "spoofed" emails should be dropped in general.

Another thing that can be done is to configure a filter which will check the if the message are coming from authorized servers (SPF check) or if they are signed properly (DKIM) by their senders.

Content for Community-Ad