cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1980
Views
10
Helpful
2
Replies

Ironport How to Check Sender name and compare to email-adress

PremiaFIT_IKT
Level 1
Level 1

Hello all

 

we have a problem that we get emails from external spam, where the Name ist from our CEO but the email-Adress does not match.

Like an email from "Manuel Wurst <spamadress@russkieo.org", correct should be "Manuel Wurs <manuel.wurst@correct.com"

 

Can somebody give me a hint how to check an compare this ?

 

Thank you and greetings from Austria

 

Wolfgang

2 Replies 2

Libin Varghese
Cisco Employee
Cisco Employee

Hi,

 

You can configure filters on the ESA to look for specific content (in this case the name of the CEO) within the From header. For multiple names you could also use dictionaries with names of all executives.

 

For the content filter set condition to Other Header, value as per your requirement and action to quarantine. The filter can then be enabled on an incoming mail policy to check inbound emails.

 

Starting Async OS 10, a new feature forged email detection was added which helps detect fraudulent messages with forged sender address (From: header) and perform actions on such messages. 

 

This functionality and configuration is explained in the end user guide below:

 

Chapter 22 (Page 22-41)

https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa10-0/ESA_10-0_User_Guide.pdf

 

Regards,

Libin Varghese

There's a feature in the contenthe filers called "Forged Email Detection" (FED) that compares the "user" section of the FROM header against a dictionary of names.

Under Mail Policies/Dictionaries create a new dictionary, one name per line. Pick the users you're getting forged mail from.

Create a new incoming mail filter, with a condition of Forged Email Detection, pick the dictionary, and a match level. Default is 70, but that fired on too many mails, so we use 80.

Under actions we modify the subjwct header, and use the FED action, which swap's the FROM header and the Envelope Sender headers so when the user gets it they see who the mail is really from.


Also make sure you're using 10.0.3 or later..


Ken