cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
161
Views
0
Helpful
5
Replies
Highlighted
Beginner

"reply-to" field different from "from" field

Hello,

 

Is there any way to filter a mail that has a "reply-to" field different from the "from" field where the "from" filed is not the internal domain. The solution would be to compare two header values but I didn't find that this option was available.

 

Thanks.

5 REPLIES 5
Cisco Employee

Re: "reply-to" field different from "from" field

Hello Denis10,

Unfortunately what you are requesting is not possible. This is because it is not possible to compare headers with each other. To accomplish this, we would need to be able to compare the values of the 'From' and 'Return-path' headers, and it is not possible to do this.

When doing comparisons with headers, we can match against a pre-defined regular expression, but we cannot check against other headers or any other variable.

We do have variables in our filters, but they can only be used on actions not conditions.

We have already a feature request filed for the same and you want you can add yourself to the notifications and get the latest update on the same:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum25300/

Also, to check on phishing emails in your environment, the below article will be of some assistance to you:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117796-problemsolution-esa-00.html

I hope the above information helps!

Cheers,
Pratham
Beginner

Re: "reply-to" field different from "from" field

Thank you for the reply Pratham, do you have ETA for CSCum25300 implementation?

Cisco Employee

Re: "reply-to" field different from "from" field

Hello Denis10,

Currently, there is no ETA on this enhancement request, however, you can add your self to the same by clicking on the "Notifications" button and receive regular updates on the progress of the same.

Cheers,
Pratham
Beginner

Re: "reply-to" field different from "from" field

Which solution would you recommend for this issue, spoofed mail filtering cant reali help in this situation, stricter reputation filter could result with false positives. Maybe advanced phishing protection sensor could help?

Cisco Employee

Re: "reply-to" field different from "from" field

Hello Denis 10,

For spoof emails for outside domains i.e. other than your internal domain, you can take help of SPF, DKIM and DMARC features on the ESA.
Please find below article which is the most helpful for the same:
https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf

Additional items that may help are as below:

White Paper: Detecting Spoof
http://cs.co/9005DerYF

How-to: Enable Spoof Protection
http://cs.co/9006DcyDp

DMARC Lookup Tools:
https://www.agari.com/project/dmarc
https://dmarcian.com/dmarc-inspector

DMARC Wizard:
https://dmarc.globalcyberalliance.org

DMARC Aggregation Reporting Tool:
http://dmarc.postmarkapp.com/

Others:
https://dmarc.org/2016/03/best-practices-for-email-senders/
https://blog.manchestergreyhats.co.uk/posts/spf-dkim-dmarc-where-to-start/

Cheers,
Pratham