Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1620
Views
0
Helpful
2
Replies

How I handle Typosquatting Emails

Paul Cardelli
Level 1
Level 1

‎12-23-2015 02:03 PM

Something new I have been running against are e-mails that typo our domain to get past spoofing. So I applied a similar rule to fight this along with a dictionary that I would for Spoofing.

First step generate typosquatting domains from your legit domain. There are online services, but not all are legit. I just searched for "Typosquatting Generator." Once you have a list, and have made any needed formatting changes.

Next, create a Dictionary called "typosquatting." Also be sure match whole word is unchecked, and paste all the domains you generated.

Caution: you will want to put a $ after any domains such as yourdomain.co$ which would also match yourdomain.com.

Next, Create a Quarantine called TYPOSQUATTING.

Commit Changes

SSH to the CLI

Filters

New

Past the following:

Quarantine_Typosquatting:
 If ((mail-from-dictionary-match("typosquatting", 1)) OR (header-dictionary-match("typosquating","From", 1))){
  quarantine("TYPOSQUATING");
 }

.

commit changes

Send a test e-mail to see if any of the domains matched. I search for an online tool "test_smtp_server"

Review the Quarantine to make sure all is working, and no false positives.

How is everyone else fighting this? I also report typosquating to the domain register abuse email when I find one, and it usually expedites a takedown.

Labels:
0 Helpful
2 Replies 2

Mathew Huynh
Cisco Employee
Cisco Employee

‎12-24-2015 03:09 PM

Hello Paul,

While I have not encountered this issue going forward nor had many cases on this query.

I believe the URL filtering combined with Anti-spam on the ESA should assist with forms of protection as it stores a URL scanning database with both enabled on versions 8.5.7+ and URL filtering will also check DNS records of the URL in question if it resolves correctly.

Regards,
Matthew

0 Helpful

Paul Cardelli
Level 1
Level 1
In response to Mathew Huynh

‎12-28-2015 08:40 AM

Where I have seen it is mainly in Spear Phishing attempts, where an attacker registers a domain that is just 1 or 2 characters off, and then attempts to send e-mail to executives. Luckily we have been able to identify them so far but when you have well over 1,000 users you get to wondering how many you don't know about.

Once identified we have been able to contact the register to have the domain taken down within 24 hours. So far this has been a

I had not thought about URL filtering, to bad we can't create custom categories for the ESA like we can for the WSA. I don't put a 100% faith in URL filtering as a number of crafty attackers can make sites look legit for categorization and when actually it is a front for malicious intent.

a good example off the top of my head that targets US government agencies with porn is gsaproposal.com. Type it in directly and it looks fine. Google it and click on the result with the same url and it redirects to random porn sites. I had to blacklist this site manually.

0 Helpful
Customers Also Viewed These Support Documents