Hi Imtiaz,

rockbd · ‎12-10-2016

Dear Sir

I am a new in ironport. so my question might be silly. still i like to ask. My query is can i make some rules to block those mail which is not have a mail id in my mail server. e.g. i don't have office@mydomain.com but my user are getting mail from that id. Is this spoofed mail? I just need to block this type of mail.

Waiting for your suggestion.

imtiaz

Jernej Vodopivec · ‎12-10-2016

Hi Imtiaz,

as I understand you're getting email messages with spoofed email sender - sender's email address forged as it'd be one of your own email address.

You can do the following:

- block emails containing @yourdomain.com as sender's email address on public listener (if you have public & private listener) or create message filter that'll block such messages when smtp host is not one from relay hosts defined for outgoing messages

- implement SPF/DKIM and block/quarantine messages that fails validation

rockbd · ‎12-11-2016

Dear Jerney

Thanks for the reply.

Can you please tell me in detail how to block/quarantine spoofed by using SPF/DKIM as my ironport have SPF/DKIM.

Imtiaz

Jernej Vodopivec · ‎12-11-2016

Hi Imtiaz,

please find the following document that'll walk you through DKIM/SPF implementation: www.cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf

Because enabling SPF/DKIM verification globally it can impact other (legitimate) emails also. Maybe you should implement it for your domain only by adding another condition: "mail from" ends with "your-domain.com".

Forged email detection Dennis mentioned is great feature introduced in AsyncOS 10. It's focused more on detecting cousin domains and forged email senders by using your company person's names together with some XY domain name. This feature can detect forget emails that pass DKIM/SPF validation. Great complementary feature.

Regarding message filters Dennis and I already mentioned. You can achieve similar result by using content filters. Please look at attached screenshot how to do it. Don't forget to activate this filter in incoming email policy.

rockbd · ‎12-11-2016

I can check about the content filters.. but confused about the policy .. should i type remote-ip!=1.2.3.4 and mail-from=="mydomain.com$"

Regarding the action which should be notify maid id it should be mail server address?

Thanks in advance.

Imtiaz.

Jernej Vodopivec · ‎12-11-2016

Hi Imtiaz,

the point is to detect & prevent emails that contain your domain name in sender address (From) and at the same time such emails haven't been sent from trusted network/hosts (outgoing mails).

So IP address must be different than IP addresses of allowed relay hosts - hosts that are permitted to send outgoing emails through ESA.

So when creating content filter replace 1.2.3.4 with IP addresses of your approved relay hosts. And replace domain name mydomain.com with domain name you're using.

You can create custom action for emails matching these criteria: drop email, quarantine email, notify email administrator/you etc. Whatever it fits you best.

If you don't use ESA to relay outgoing emails then it's even simpler to create content filter: just detect email containing your domain name in From (sender) and block those messages.

If you're using some service outside of your network to generate and send emails on behalf of your domain (marketing messages for example) you should create exception similar to relay hosts.

dmccabej · ‎12-10-2016

Hello,

The Email Security Appliance (ESA) has many different ways to go about assisting in blocking spoofed messages. Spoofed email would be for instance when you open up your mail client and the 'friendly' From address shows your own domain, but when you go to reply to that email it reveals the true reply-to/mail-from address of the malicious source.

My typical recommendation to combat spoofed email would be to setup a message filter. What this will do is reject/quarantine any email incoming to your appliance that is not on your WHITELIST (your trusted senders) and/or RELAYLIST (your internal SMTP relays).

An example might look like this and can be modified as needed :

+++

ANTI-SPOOF:
if (sendergroup != "RELAYLIST") AND (sendergroup != "WHITELIST")
{
if ((header("From") == "(?i)@example\\.com") OR (mail-from == "(?i)@example\\.com"))
{
log-entry("*** ANTI-SPOOF FILTER ***");
quarantine("Policy");
}
}
.

+++

(If the matching Sender Group does NOT equal RELAYLIST and does NOT equal WHITELIST, and if the From header or the Mail-From header equals your domain, then add the log entry and quarantine the email)

+++

Additional info and options :

1) Quarantine Spoofed Email Messages on ESA

2) ESA Spoofed Mail Filtering

3) Forged Email Detection (available after ASyncOS 10.x)

Thanks!

-Dennis M.

rockbd · ‎12-11-2016

Dear Dennis

Thanks for the reply.. you gave me a lot of solution but as i am new in ironport so can't do a lot of things like you have asked. I am very uncomfortable to run script so can you tell me any other way to solved the spoofed mail problem.

I like to add here it is hard to quarantine Spoofed mail via dictionary as i don't know all the IP where from i got the spoofed mail.

also can't find forged email detection like active

Is there any other easy way to block spoofed mail which can be done by my like dumb guy.

Imtiaz

dmccabej · ‎12-11-2016

Hello Imtiaz,

You should be able to follow the steps in the Quarantine Spoofed Email article I posted above, but I'll also add some screenshots below with the same steps.

Once the below is done, you'll want to make sure you have all of your IP address of your internal SMTP servers listed in your RELAYLIST Sender Group and your allowed spoof IP addresses in your WHITELIST Sender Group. Also note, this filter is assuming your RELAYLIST and WHITELIST Sender Group names are exactly the same as shown. If not, it will need to be modified.

If you're still not really clear on the process I would highly recommend opening up a Cisco support ticket. We'll be able to help you implement everything needed and provide guidance along the way.

Hope this helps. :)

Thanks!

-Dennis M.

+++

1) From the GUI --> Mail Policies --> Dictionaries --> Add Dictionary --> Name = VALID_INTERNAL_DOMAINS --> Add terms = mydomain.com --> Submit --> Commit

+++

2) From the CLI --> Filters --> Copy/paste filter below --> Enter --> Enter --> Commit --> Enter --> Enter

Quarantine_Spoofed_Email: if ((mail-from-dictionary-match("VALID_INTERNAL_DOMAINS", 1)) OR
(header-dictionary-match("VALID_INTERNAL_DOMAINS","From", 1))) AND ((sendergroup != "RELAYLIST") AND (sendergroup != "WHITELIST"))
{
log-entry("*** QUARANTINE SPOOF FILTER ***");
quarantine("Policy");
}
.

+++

rockbd · ‎12-11-2016

Thanks.

Done the process .. where i can view the filter which i have done in the CLI.

imtiaz

Jernej Vodopivec · ‎12-12-2016

Hi,

log in via ssh to ESA.

CLI -> filters -> detail -> Quarantine_Spoofed_Email

rockbd · ‎12-12-2016

Thanks Jernej

Yes i can view that in CLI. But is there any way to check that via GUI.

Imtiaz.

Jernej Vodopivec · ‎12-12-2016

No, you can manage message filters only through CLI.

Only content filters are managed through GUI.

dmccabej · ‎12-12-2016

It looks like Jernej had the chance to let you know that the Message Filter can only be managed via the CLI. :)

Hopefully everything is worked as needed for you now.

If you have any other questions just let me know.

Thanks!

-Dennis M.

Got mail which is not a vaild user of my mail server