Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
1
Replies

Spoofed Email Oddity with reply-to:

sam_wynens
Level 1
Level 1

‎01-22-2016 01:49 PM

Ran into this on a customers Ironport running v8.5.6-106 (I need to upgrade them).

I was building a content filter to check if the From: header matched the company domain and if the mail-from: was a different domain and ran into an issue with another policy. They have a whitelisted senders policy that permits any email from listed domains w/o anti-spam checking.

The content filter looks like this:

 Conditions:
  Apply rule:
   Only if all conditions match
  Envelope Sender:
   mail-from != "companydomain\\.com"
  Subject Header:
   subject != "(?i)(fw:|re:)"
  Subject Header:
   subject != "(?i)(\[SUSPECTED SPAM\]|\[SUSPECT SPAM\])"
  Other Header:
   header("From") == "(?i)companydomain\\.com"
   
 Actions:
  Add/Edit Header:
   edit-header-text("Subject", "(.*)", "[SUSPECT SPAM]")

To test this filter I ran the following commands from an external server after the TLS session has been established:

mail from: test@externaldomain.com

rcpt to: test_user@companydomain.com

data

From: "Sam" <sam@companydomain.com>

To: "Test User" <test_user@companydomain.com>

reply-to: "Sam" <sam@whitelisteddomain.com>

Subject: Blah blah blah

blah blah blah

.

What I noticed was that when the email was passed through the filters, it got flagged as being from a whitelisted sender even though the envelope sender was just a normal domain. If I remove the reply-to: line, it processes as expected. This can be duplicated in the trace utility as well.

Is this normal behavior?

Bear with me, I'm just getting involved with Ironports ;)

Sam

Labels:
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎01-23-2016 07:14 PM

Hey Sam,

I assume the Whitelisted sender policy is within the Incoming Mail Policies, where this domain specified in "Reply-To"  is within that Whitelised policy where anti-spam is disabled (so the content filter you configured will not work).

For the recipient policy matching that is done, it will match the following criterias which will provide to you details as to why your test email matched that whitelisted sender policy setup.

As per the Online Help Guide:

Matching Users to a Mail Policy

As messages are received by the appliance, the Email Security appliance attempts to match each message recipient and sender to a mail policy in the Incoming or Outgoing Mail Policies table, depending on whether it is an incoming or outgoing message.

Matches are based on the recipient’s address, the sender’s address, or both:

 • Recipient address matches the Envelope Recipient address
When matching recipient addresses, the recipient addresses entered are the final addresses after processing by preceding parts of the email pipeline. For example, if enabled, the default domain, LDAP routing or masquerading, alias table, domain map, and message filters features can rewrite the Envelope Recipient address and may affect whether the message matches a mail policy.

 • Sender address matches:
 – Envelope Sender (RFC821 MAIL FROM address)
 – Address found in the RFC822 From: header
 – Address found in the RFC822 Reply-To: header
Addresses may be matched on either a full email address, user, domain, or partial domain, and addresses may also match LDAP group membership.

I hope this helps clear it up :).

Thank you,

Matthew

0 Helpful
Customers Also Viewed These Support Documents