05-23-2016 02:24 PM
I need to modify the following regex for our message filter that block spoofers but not sure how to form the regex. It seems that Cisco regex is a bit different then regular regex? is there a site I can run tests? I've tried "https://regex101.com/" but doesn't appears to work the same way.
for example,
if our domain is cisco.com,
email's from or sender is "jeff@xxxCISCOxxx.com", "jeff@ciscoi.com" or "jeff@ciscocorp.com" or "jeff@acisco.com" .....etc. added characters before and after cisco..... drop.
This is what I'm running at the moment,
BlockSpoofFilter: if (sendergroup != "spoofer_list|relaylist") AND (NOT (header("x-spoof"))) {
if (mail-from ==
"cisco.local$|cisco.com$") OR (header("From") ==
"cisco.local$|cisco.com$|cisco.com>$") {
notify ("$EnvelopeRecipients", "[Suspect Spoof] Quarantined Email Notification", "", "SPOOF_WARNING_NOTICE")
quarantine("Spoofed");
insert-header("x-spoof", "");
}
}
05-23-2016 03:08 PM
Will these work?
"(?i).*cisco.*$") OR (header("From") ==
"(?i).*cisco.*>$") {
05-26-2016 05:15 PM
Hello Jtsai,
I would normally test with my lab environment and run a SMTP telnet test to replicate behaviours, but if you cannot do this on your systems (as you may have to use production). You can use the 'Trace' feature to test if your filter syntax is working to expectations.
From review, I tested this filter:
test_filter:
if (mail-from =="matt@.*lee.*\\.com")
{
drop();
}
.
Where i sent emails from...
matt@lee.com <- Dropped by filter
matt@alee.com <- Dropped by filter
matt@aleea.com <- Dropped by filter
matt@abcleeabc.com <- Dropped by filter
matt@abcleabceabc.com <- Passed the filter.
Regards,
Matthew
09-10-2017 10:12 PM
09-10-2017 11:15 PM
You could telnet to the appliance using the steps provided in the below article to inject a test email.
Regards,
Libin Varghese
09-10-2017 11:57 PM
09-11-2017 12:04 AM
As your filter looks at mail-from and from header, you can telnet to the appliance and inject values for these headers to see how the filter would behave.
telnet 172.16.6.165 25
Trying 172.16.6.165...
Connected to my_esa.
Escape character is '^]'.
220 my_esa.local ESMTP
helo
250 my_esa.local
mail from: <test@cisco.com>
250 sender <test@cisco.com> ok
rcpt to: <user@cisco.com>
250 recipient <user@cisco.com> ok
data
354 go ahead
subject: TESTING SMTP
This is line one.
This is line two.
.
250 ok: Message 214 accepted
quit
221 my_esa.local
Regards,
Libin Varghese
09-11-2017 01:45 AM
09-11-2017 02:13 AM
If the lab ESA is configured with a listener which is not suspended, the telnet should work.
If the traffic is not allowed to reach the ESA listener at all, then only way to check would be for mail-from using the Trace functionality under System Administration -> Trace.
- Libin V
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide