Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1923
Views
0
Helpful
4
Replies

Spam issue with IronPort C170

Lotfi BOUCHERIT
Level 1
Level 1

‎09-17-2019 07:54 AM

Hello,

 

We have a Cisco IronPort C170 with OS version 10.0.0-203 acting as a Mail Anti Spam for our Network.

 

Last week, we had an incident of spam mails that were sent to almost all the company workers. The sender e-mail address is (ISCULLINAS@GMAIL.COM) which looks like generated from a public mail provider. But it was actually an undesired e-mail.

To block this e-mail, we proceeded as follows :

  • Created a content filter with final action action Drop
  • Applied this content filter in an Incoming Mail Policy, where we activated Advanced Malware Protection and used all Anti Spams available in IronPort.

The rule seems working, but I would like to know if it is available another options in IronPort to harden protection like for example, checking DMARK and SPF DNS records, or anything else.

Thank you in advance!

Labels:
0 Helpful
4 Replies 4

pchakra2
Cisco Employee
Cisco Employee

‎09-17-2019 08:04 AM

The hardware C170 is currently running on an old version of AsyncOS (10.0.0), so firstly I would suggest you to upgrade the ESA to latest available AsyncOS versions (11.0.x) as with the upgrade the security scanning of the engines will also get enhanced with the latest updates.

 

You can configure SPF check for the Incoming emails. That will be helpful as any spoofed sender trying to send emails in the name of another domain will fail the SPF checks and you may take actions in the ESA accordingly with filters based upon the SPF verdicts. DMARC will also work as an added security layer.

 

Finally, the missed email sample you can submit to Cisco such that TALOS Intelligence team analyses the same and updates the detection content for similar emails to get detected as SPAM thereafter.

 

Best Regards,

0 Helpful

Lotfi BOUCHERIT
Level 1
Level 1
In response to pchakra2

‎09-18-2019 07:01 AM

Hello Sir, and thank you for your time.

Please, could you please give me an idea where i can configure the Sender Policy Framework (SPF) in IronPort?

Because, i spent a lot of time searching for it and no success.

About the upgrade, I'll take it in consideration as soon as possible. Thank you in advance

0 Helpful

pchakra2
Cisco Employee
Cisco Employee
In response to Lotfi BOUCHERIT

‎09-18-2019 07:36 AM

It's a pleasure to assist.

 

Regarding enabling of SPF, you can enable the same from GUI --> Mail Policies --> Mail Flow Policies --> Scroll down to the part Encryption and Authentication. You'll find the option to enable SPF there.

 

Once enabled, you'll see SPF verdicts (fetched by DNS servers configured in ESA) starting to populate in Message Tracking/Mail logs.

 

If you want to take actions in the ESA based on the SPF verdicts, you'll need to create an Incoming Content Filter and enable the same in Incoming Mail Policies.

 

Regarding the part where you'd like to understand more related to an aspect of the ESA, refer to the AsyncOS Admin guide anytime. https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0.pdf

0 Helpful

ppreenja
Cisco Employee
Cisco Employee

‎09-21-2019 06:34 AM - edited ‎09-21-2019 06:16 PM

Hello Lotfi,

To harden your ESA appliance, I would recommend you to check below articles which will be able to guide you with all the steps:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118462-technote-esa-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf

Also, for checking on the spoofed emails for external domains, I would recommend you to make sure that the SPF, DKIM and DMARC features are set to ON in Mail Flow Policies (such as Accepted etc.) [Mail Policies-->Mail Flow Policies--><Selected Mail Flow policy for incoming traffic such as Accepted>-->Security Features]. Also, make sure to make use of the SPF verdicts and take action on the same by creating filters otherwise having SPF verdicts by setting them ON in mail flow policies won't be effective.
Please follow the below documents for more details.
https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/213939-esa-configure-dkim-signing.html

Also, you can have Forged Email detection enabled which will make sure that the name of higher executives in your organization are not used to send any forged emails in your organization. Please refer below document for more details:
https://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/guide-c07-738017.pdf

Additional items that may help...

White Paper: Detecting Spoof

http://cs.co/9005DerYF

How-to: Enable Spoof Protection

http://cs.co/9006DcyDp

DMARC Lookup Tools:

https://www.agari.com/project/dmarc

https://dmarcian.com/dmarc-inspector

DMARC Wizard:

https://dmarc.globalcyberalliance.org

DMARC Aggregation Reporting Tool:

http://dmarc.postmarkapp.com/

Others:

https://dmarc.org/2016/03/best-practices-for-email-senders/
https://blog.manchestergreyhats.co.uk/posts/spf-dkim-dmarc-where-to-start/

Cheers,
Pratham

0 Helpful
Customers Also Viewed These Support Documents