cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3188
Views
5
Helpful
6
Replies

Message Filter and dictionary domains

damian.fawkner
Level 1
Level 1

Hello,

Just using the ESA Spoofing message filter at the moment, however it is catching anything that has the specified domain name in it...

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200166-Quarantine-Spoofed-Email-Messages-on-the.html

ie, should be capturing example.com only, however it is capturing;

lmsflksd23s=example.com@sendgrid.net     ---> which this type of format is used by alot of bounces/legitimate senders.

I have edited the dictionary to be;

@example.com

However it then fails to detect the spoofed addresses.

What am I missing here? I have a large number of domains, discussing with Cisco already and waiting on replies, but other thoughts would be good.

Thanks

6 Replies 6

damian.fawkner
Level 1
Level 1

I have found that using the example.com$ in the dictionary seems to resolve the issue.

Any thought if that would cause me issues?

Hello Damian,

We have a current open defect regarding dictionary entries starting with '@' not matching properly. You can find that here : Dictionary doesn't match as expected when the entries starts with "@" or "\@"

However, it looks like you found a viable workaround, which would be to try using the '$' regular expression symbol so that it looks for the string at the end of the line.

Thanks!

-Dennis M.

Thanks for the update - would you envision there being any issues with using the $ instead of matching the domain per the filter instructions?

Hello,

That really depends on the types of header formatting you're seeing. I would probably keep both of them within the dictionary so you can be sure to match on different scenarios. You could also use something like the following : example.com>$

I would advise modifying the dictionary entries as you need and then testing via manual SMTP telnet tests to confirm resolution.

Thanks!

-Dennis M.

Hello,

Do you have any update on this issue ?

Kr,

Vincent.

Hi,

 

I fix the problem just putting the domain without de @.

 

It works to me.

 

Bye