cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1952
Views
0
Helpful
8
Replies

Message Filter for Spoofing senders

jtsai8585
Level 1
Level 1

I need to modify the following regex for our message filter that block spoofers but not sure how to form the regex.   It seems that Cisco regex is a bit different then regular regex?  is there a site I can run tests?  I've tried "https://regex101.com/" but doesn't appears to work the same way.

for example,

if our domain is cisco.com,

email's from or sender is "jeff@xxxCISCOxxx.com", "jeff@ciscoi.com" or "jeff@ciscocorp.com" or "jeff@acisco.com" .....etc.  added characters before and after cisco..... drop.

This is what I'm running at the moment,

BlockSpoofFilter: if (sendergroup != "spoofer_list|relaylist") AND (NOT (header("x-spoof"))) {

                       if (mail-from ==

"cisco.local$|cisco.com$") OR (header("From") ==

"cisco.local$|cisco.com$|cisco.com>$") {

                           notify ("$EnvelopeRecipients", "[Suspect Spoof] Quarantined Email Notification", "", "SPOOF_WARNING_NOTICE")

                           quarantine("Spoofed");

                           insert-header("x-spoof", "");

                       }

                   }

8 Replies 8

jtsai8585
Level 1
Level 1

Will these work?

"(?i).*cisco.*$") OR (header("From") ==

"(?i).*cisco.*>$") {

Hello Jtsai,


I would normally test with my lab environment and run a SMTP telnet test to replicate behaviours, but if you cannot do this on your systems (as you may have to use production). You can use the 'Trace' feature to test if your filter syntax is working to expectations.

From review,  I tested this filter:

test_filter:
if (mail-from =="matt@.*lee.*\\.com")
{
drop();
}
.

Where i sent emails from...

matt@lee.com <- Dropped by filter

matt@alee.com <- Dropped by filter

matt@aleea.com <- Dropped by filter

matt@abcleeabc.com <- Dropped by filter

matt@abcleabceabc.com <- Passed the filter.

Regards,

Matthew

Hi!
How did you test it?

You could telnet to the appliance using the steps provided in the below article to inject a test email.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118234-technote-esa-00.html

 

Regards,

Libin Varghese

I mean, how to test spoof email.
I have a configured Antispoof but I want to test it using the spoof email, just to check if policy will hit it.

As your filter looks at mail-from and from header, you can telnet to the appliance and inject values for these headers to see how the filter would behave.

 

telnet 172.16.6.165 25
Trying 172.16.6.165...
Connected to my_esa.
Escape character is '^]'.
220 my_esa.local ESMTP
helo
250 my_esa.local
mail from: <test@cisco.com>
250 sender <test@cisco.com> ok
rcpt to: <user@cisco.com>
250 recipient <user@cisco.com> ok
data
354 go ahead
subject: TESTING SMTP
This is line one.
This is line two.
.
250 ok: Message 214 accepted
quit
221 my_esa.local

 

Regards,

Libin Varghese

Hi Libin,

Thank you and sorry for bothering you. Already ask my colleague, as per them their is no way unless if the ESA appliance in on production.

If the lab ESA is configured with a listener which is not suspended, the telnet should work.

 

If the traffic is not allowed to reach the ESA listener at all, then only way to check would be for mail-from using the Trace functionality under System Administration -> Trace. 

 

- Libin V