Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2768
Views
0
Helpful
5
Replies

Message Filter Help/Question

Go to solution
Doug Maxfield
Level 1
Level 1

‎03-29-2018 09:56 AM - edited ‎03-08-2019 07:35 PM

Good Morning,
We use the KnowBe4 product for Email Testing for our users. Some of the tests are containing attachments that AMP "says" are Malicious. We want to make sure that these emails are able to be delivered to our users. I created the following message filter and want to make sure that it will do the job.

Allow KnowBe4 emails in, bypassing all filters

allow_KnowBe4: if (recv-listener == "IncomingMail" AND header ("X-PHISHTEST") == "KnowBe4")
{
skip-spamcheck();
skip-viruscheck();
skip-ampcheck();
skip-marketingcheck();
skip-socialcheck();
skip-bulkcheck();
skip-vofcheck();
skip-filters();
}
.

We can guarantee that each email from KnowBe4 will contain the above X-Header and will contain the word "KnowBe4". The actual value is "This is a phishing security test from KnowBe4 that has been authorized by the recipient organization". Though it would be easier just to search for a word instead of the phrase.

 

Thanks,
Doug

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎03-29-2018 09:59 AM

That filter will work for the purpose you have described.

 

Do you have any other questions ?

View solution in original post

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎03-29-2018 09:37 PM

Just a quick add just incase someone else is going to use your filter; a syntax correction:

allow_KnowBe4:
if (recv-listener == "IncomingMail") AND (header("X-PHISHTEST") == "KnowBe4")
{
skip-spamcheck();
skip-viruscheck();
skip-ampcheck();
skip-marketingcheck();
skip-socialcheck();
skip-bulkcheck();
skip-vofcheck();
skip-filters();
}
.

Cheers,
Matthew

View solution in original post

0 Helpful
5 Replies 5

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎03-29-2018 09:59 AM

That filter will work for the purpose you have described.

 

Do you have any other questions ?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎03-29-2018 10:13 AM

I use KnowBe4 too. We use a Mail Policy to do the same thing. The envelope sender is @knowbe4.com


0 Helpful

Go to solution
Doug Maxfield
Level 1
Level 1
In response to Ken Stieers

‎03-29-2018 10:26 AM

Thanks Ken.  I had that in the Mail Policy of allowed users, but somehow, this test didn't follow the normal testing that had been done.  We attempted to include attachments and other random items and this caused the emails to come from the IP addresses of KnowBe4, but the Envelope Sender was different.  So, of course, it used the Default Mail Policy instead of the KnowBe4 mail policy.

 

I figured it would be easier to use a Message Filter and bypass everything at the connection instead of "bringing it in" and processing it.

 

Now if we could only "bypass" O365 malware scanning, it would be much better.

 

Doug

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to Doug Maxfield

‎03-29-2018 10:28 AM

Well the bad spirit in me says based on experience they will not catch all......
0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎03-29-2018 09:37 PM

Just a quick add just incase someone else is going to use your filter; a syntax correction:

allow_KnowBe4:
if (recv-listener == "IncomingMail") AND (header("X-PHISHTEST") == "KnowBe4")
{
skip-spamcheck();
skip-viruscheck();
skip-ampcheck();
skip-marketingcheck();
skip-socialcheck();
skip-bulkcheck();
skip-vofcheck();
skip-filters();
}
.

Cheers,
Matthew
0 Helpful
Customers Also Viewed These Support Documents