Re: In the message header field "from" is not equal "se

Yurii-KRUT · ‎08-28-2024

What is the best way to block spoofing messages in ESA?

ESA message tracking not shows field "from", but in the outlook this message looks like from my company domain and in the outlook header is present field "from" and it's not equal "sender"
From: HelpDesk Support <helpdesk@my_company_domain>

ESA logs
Envelope Sender:noreply1@vip-163.cam
Message 18252744 SPF: mailfrom identity noreply1@vip-163.cam Pass

Is this solution will help me to block all of such us messages ?

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200166-Quarantine-Spoofed-Email-Messages-on-the.html

Ken Stieers · ‎08-28-2024

I'd have to test it to be sure, but it looks like it would do the job.

Yurii-KRUT · ‎08-28-2024

I hope the CLI filter work in different way, because in GUI message tracer haven't string\header - From: HelpDesk Support <helpdesk@my_company_domain>

Dustin Anderson · ‎08-29-2024

Another thing you could do is check the header From if it contains your domain, assuming no one outside your company can email as your domain. Then either do forged email detection where the system will replace the from with the envelope from, or quarantine it.

rich97 · ‎09-09-2024

The best way to block spoofing of your company domain is to implement DMARC on your domain and turn on DMARC verification on the incoming mail flow policy. As a result, the message with spoofed FROM header of your company email address will be quarantined on DMARC quarantine. If DMARC implementation is not possible at the moment, you could setup a content filter to quratnine the message sent from the unknown remote IP and with header FROM containing your domain. However, you need to monitor the qurantine to release any false positives and keep adding legite remote IP to the content filter.

In the message header field "from" is not equal "sender"