cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1767
Views
5
Helpful
6
Replies

"reply-to" field different from "from" field

Denis10
Level 1
Level 1

Hello,

 

Is there any way to filter a mail that has a "reply-to" field different from the "from" field where the "from" filed is not the internal domain. The solution would be to compare two header values but I didn't find that this option was available.

 

Thanks.

6 Replies 6

ppreenja
Cisco Employee
Cisco Employee
Hello Denis10,

Unfortunately what you are requesting is not possible. This is because it is not possible to compare headers with each other. To accomplish this, we would need to be able to compare the values of the 'From' and 'Return-path' headers, and it is not possible to do this.

When doing comparisons with headers, we can match against a pre-defined regular expression, but we cannot check against other headers or any other variable.

We do have variables in our filters, but they can only be used on actions not conditions.

We have already a feature request filed for the same and you want you can add yourself to the notifications and get the latest update on the same:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum25300/

Also, to check on phishing emails in your environment, the below article will be of some assistance to you:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117796-problemsolution-esa-00.html

I hope the above information helps!

Cheers,
Pratham

Thank you for the reply Pratham, do you have ETA for CSCum25300 implementation?

Hello Denis10,

Currently, there is no ETA on this enhancement request, however, you can add your self to the same by clicking on the "Notifications" button and receive regular updates on the progress of the same.

Cheers,
Pratham

Which solution would you recommend for this issue, spoofed mail filtering cant reali help in this situation, stricter reputation filter could result with false positives. Maybe advanced phishing protection sensor could help?

Hello Denis 10,

For spoof emails for outside domains i.e. other than your internal domain, you can take help of SPF, DKIM and DMARC features on the ESA.
Please find below article which is the most helpful for the same:
https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf

Additional items that may help are as below:

White Paper: Detecting Spoof
http://cs.co/9005DerYF

How-to: Enable Spoof Protection
http://cs.co/9006DcyDp

DMARC Lookup Tools:
https://www.agari.com/project/dmarc
https://dmarcian.com/dmarc-inspector

DMARC Wizard:
https://dmarc.globalcyberalliance.org

DMARC Aggregation Reporting Tool:
http://dmarc.postmarkapp.com/

Others:
https://dmarc.org/2016/03/best-practices-for-email-senders/
https://blog.manchestergreyhats.co.uk/posts/spf-dkim-dmarc-where-to-start/

Cheers,
Pratham

Campbell.Oliver
Level 1
Level 1

Denis,

We are currently doing this in a production environment. The result is a bright red banner at the top of the email when the two referenced fields (reply-to and envelopesender) don't match. Here is the Incoming Content Filter:

2019-11-19_15-49-32.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: