Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
3
Replies

Ironport c160 - question about the message filters (in cli) feature

anton1688
Level 1
Level 1

‎11-10-2015 06:55 AM

Hello,

i am trying to solve a scam attack for my company. to whomever is reading this. this is a long one, please be patient :-) the actual question is at the very bottom.

we are receiving email from our own domain...... iv'e been able to use Exchange to block these kind of emails and was curious to find out if Ironport can do the same.

let's assume the email header looks like this

envelope sender (i.e. mail from:) - mail@somedomain.com

envelope recipient (i.e. rcpt to:) - mymail@mydomain.com

from header in the Data section of the envelope (i.e. From:) somemail@mydomain.com

what happens is the ironport is allowing these senders to go through it.

now.....

1. to deal with this i have implemented a content filter to block any envelope-sender with @mydomain.com since mails from @mydomain should not come from the internet.

2. we have also implemented the content filter to look for "other headers" namely the from field (From:) with a string of @mydomain.com as well so forgers would not be able to simply fake that in the message payload.

i have written a python script to use an email account in the internet to relay emails for me in order to test this.

here are the results

1. when using an envelope-sender (i.e. mail from:) with a string pattern that matches @mydomain.com the email is blocked as expected.@

2.when using an envelope-sender with my testing email account which does not belong to my workplace domain(i.e. mail@somedomain.com) and a  From header (i.e. From:) with a string pattern that matches @mydomain.com trying to make to email look like it came internally the email is blocked as expected.@

3. here comes the weird part..... if... i use an envelope-sender of mail@somedomain.com and then i use a non-standard/ non-rfc from field (i.e. just 'from ' - note there is no colon, there is a backspace instead of the colon) the email somehow manages to get through, and still looks as if the email came internally, this is because exchange somehow does manage to recognize it as a valid 'from' field.

i suspect the ironport does not recognoze this field as a valid field and therefore the content filter cannot match.

my question is... am i able to use a regular expression on the headers themselves?? meaning can i somehow tell Ironport to search for any field that looks like anything like the 'from' header using something like 'from.*' with the pattern of  @mydomain.com and block it!

thanks in advance

best regards

Labels:
0 Helpful
3 Replies 3

Robert Sherwin
Cisco Employee
Cisco Employee

‎11-12-2015 05:46 AM

Have you reviewed:

ESA SMTP Authentication Condition to Prevent Spoofing

ESA Spoofed Mail Filtering

-Robert

Cheers,
Robert Sherwin
0 Helpful

anton1688
Level 1
Level 1
In response to Robert Sherwin

‎11-12-2015 10:53 AM

Hello Robert,

thanks for replying.

i have not seen these. i have tried it now but... it did not work as well.

the reason being (in my mind) that the ironport relies on the header to be RFC compliant, so if going back to my example and i remove the colon from the 'from' string the ironport cannot identify this as a from header and thus unable to apply any policies based on it.

if only the ironport allowed 'free control' so to speak and basically allow me to match fields in the header as a string using regex i would be able to create a message filter that looks like this pseudo filter : if header from.* = '@mydomain.com' then drop | quarantine

do you think it is somehow possible??

by the way, since i applied the content filter that do match the RFC compliant header (i.e. 'from: ') i don't receive many of these emails. but in the ocassion that someone would try to mess with the headers like i did, i want to be preapred :-)

thank you for looking these up for me

best regards

0 Helpful

mkukreja1
Level 1
Level 1

‎11-12-2015 04:03 PM

Hello 

Use message filters ,  Use Dictionary if you have multiple domains.  The Logic behind this is If the sender IPdoesnt match your Relaylist ( Exchange Servers) and matches the From and Header From , it would quarantine. 

Block_spoof: if (sendergroup != "RELAYLIST")

{

if (header-dictionary-match("<dictionary_name>","From", 1)) OR (mail-from-dictionary-match("<dictionary_name>", 1))

     {

quarantine("Policy_quarantine_name");

     }

}

.

0 Helpful
Customers Also Viewed These Support Documents