Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2041
Views
0
Helpful
2
Replies

How to use ESA to block spoof emails (using Emkei tool)

hanguye3
Cisco Employee
Cisco Employee

‎03-21-2019 12:11 AM

Hi team,

 

I am testing an ESA with the SPF and Check Sender DNS features enable. At that time, I use this tool: https://emkei.cz/ to spoof an email to send to my real email. I did create the fake email (but using my correct email) to send to my real email.

Unfortunately, the ESA did not block that spoof email and I still get the fake one. and the ESA did not show any proof to block.

Highly appreciate that any guys can explain to me that how this tool work and how to block it on the ESA?

 

Thanks in advance.

 

Br,

hainm

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎03-21-2019 01:16 AM

Can you explain more about your setup, how your topology (what kind of email Servers you have behind ESA)

 

If ESA handling all your in and outgoing email SMTP traffic?

 

Look at the this example setup :

 

https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-email-security/guide-c07-740417.pdf

 

also grep the logs and post to forum to look what is wrong ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Paul Thomas Cyblue
Level 1
Level 1

‎03-22-2019 08:21 AM - edited ‎03-22-2019 09:11 AM

Check the Tracking Logs
Make sure the email is showing that SPF and DMARC validation is occurring. ( or check the Authentication header on the email )
By enabling / checking SPF and DMARC on incoming messages doesn't necessarily mean its blocked. 
You may have enabled SPF in HAT - just records results.
Plus set the DMARC profile to deliver rather than abide by the domains DMARC Policy.

Do you have the DMARC profile set to action - such as Quarantine / Drop.
Do you have a Message or Content Filter to action based on the SPF result.

Personally, I use a cascading Email Authentication Message Filter to check the results of SPF, DKIM and DMARC to make a decisions based on the various permutations that may occur and what action to take for each. 


0 Helpful
Customers Also Viewed These Support Documents