We are currently also tagging

twarmsbecker · ‎10-08-2015

Hello,

I have worked with support on this, and created a combination filter and dictionary to tag the from sender. Currently we allow messages from our "domain.com" from external senders, reason being many system send messages on behalf of the users. An example would be a FEDEX shipping alert is sent form JDoe@domain.com to JDoe@domain.com. If we were to block these, hundreds of valid emails would not be delivered. So we are tagging the Sender as "{IMPERSONATED}" to immediately let the recipient know that sender is from outside of the organization. So JDoe@domain.com appears as "{IMPERSONATED}John Doe <jdoe@domain.com>" on the recipients message display. We do not tag messages that are in our trusted whitelist or relaylist.

Here is the filter

MarkPossiblySpoofedEmail:

if (sendergroup != "WHITELIST") AND (sendergroup != "RELAYLIST")

{

if recv-listener == "IncomingMail"

{

if (header-dictionary-match("EmailDomains","From", 1)) OR (mail-from-dictionary-match("EmailDomains", 1))

{

edit-header-text("From", "(.*)", "{IMPERSONATED}\\1");

}

So the dictionary lists the following:

domain.com$ (this works fairly well)

domain.com>$ (this works fairly well)

@domain.com (this DOES NOT catch any thing, is suspect due to the @ character - this would be the best as it is definitive)

domain.com (catches too many subscription emails that only contain domain.com)

Do I need to use some sort of escape sequence for the @ symbol in the dictionary?

Thanks, Tony

Marc Luescher · ‎11-17-2015

We are currently also tagging and are workign aorund the follwing filter :

ExternalFriendlyNameTag: if (recv-listener == "InboundMail") AND ((rcpt-to == "(FN\\.LN)@(xyz\\.com)") AND
(mail-from !=
"@(xyz|xxx|zzz)\\.(de|com|net|com\\.au|at|nl|ca|org|pt|co\\.jp|com\\.pl|com\\.br|fax\\.uk|es|co\\.nz|it|co\\.kr)")) {
                             insert-header("X-Ironport-OriginalFrom", "$From");
                             if header("From") != "\\s" {
                                 strip-header("From");
                                 insert-header("From", "EXTERN \"$EnvelopeFrom\" <$EnvelopeFrom>");
                             } else {
                                 strip-header("From");
                                 insert-header("From", "EXTERN $From");
                             }
                             skip-filters();
                         }

or for tagging of the subject line

{
                        insert-header("X-Ironport-SubjectEdited", "1");
                        if header("Subject") != "\\[EXTERN\\]" {
                            strip-header("Subject");
                            insert-header("Subject", "[EXTERN]:$Subject");
                        }
                        skip-filters();
                    }

For a few domains only I would avoid to use CPU expensive dictionary searches and script it directly.

For your directory lookup case the pattern should be something like :

@x+y+z\.(com|ru)

I hope that helps

Regards

Marc

Mathew Huynh · ‎11-17-2015

Hey Tony,

As Marc has provided as well, for the matching, if it's for mail domains and senders it may be better to use the regex syntaxs provided as opposed to a dictionary which may be more resource intensive and restrictive on the matching.

I personally had always found issues with the @domain.com matching due to '@' not playing nice with regex.

For your particular scenario (i've altered your filter slightly)

MarkPossiblySpoofedEmail:

if recv-listener == "IncomingMail"

{

if (sendergroup != "WHITELIST") AND (sendergroup != "RELAYLIST")

{

if (header("From") =="(?i)@(domain\\.com|domain2\\.com|domain3\\.com)") OR (mail-from =="(?i)@(domain\\.com|domain2\\.com|domain3\\.com)$")

{

edit-header-text("From", "(.*)", "{IMPERSONATED}\\1");

}

.

Regards,

Matthew

Inbound filters using CLI