cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
611
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

How to use ESA to block spoof emails (using Emkei tool)

Hi team,

 

I am testing an ESA with the SPF and Check Sender DNS features enable. At that time, I use this tool: https://emkei.cz/ to spoof an email to send to my real email. I did create the fake email (but using my correct email) to send to my real email.

Unfortunately, the ESA did not block that spoof email and I still get the fake one. and the ESA did not show any proof to block.

Highly appreciate that any guys can explain to me that how this tool work and how to block it on the ESA?

 

Thanks in advance.

 

Br,

hainm

2 REPLIES 2
Highlighted
VIP Mentor

Can you explain more about your setup, how your topology (what kind of email Servers you have behind ESA)

 

If ESA handling all your in and outgoing email SMTP traffic?

 

Look at the this example setup :

 

https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-email-security/guide-c07-740417.pdf

 

also grep the logs and post to forum to look what is wrong ?

 

BB
*** Rate All Helpful Responses ***
Highlighted

Check the Tracking Logs
Make sure the email is showing that SPF and DMARC validation is occurring. ( or check the Authentication header on the email )
By enabling / checking SPF and DMARC on incoming messages doesn't necessarily mean its blocked. 
You may have enabled SPF in HAT - just records results.
Plus set the DMARC profile to deliver rather than abide by the domains DMARC Policy.

Do you have the DMARC profile set to action - such as Quarantine / Drop.
Do you have a Message or Content Filter to action based on the SPF result.

Personally, I use a cascading Email Authentication Message Filter to check the results of SPF, DKIM and DMARC to make a decisions based on the various permutations that may occur and what action to take for each. 


Content for Community-Ad