cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco ESA Bounce Verification to avoid the Denial of Service DOS of your email infrastructure.

538
Views
0
Helpful
1
Comments
meddane
Frequent Contributor

How Bounce Verification works on Cisco ESA Email to avoid the Denial of Service DOS of your email infrastructure.

The idea behind this kind of attack is that the attacker creates a message with the spoofed email address on a legitimate user inserted into the Envelop, under the From: Field, let’s say joe@lab.pub.

The MTAs located outside are not responsible of the lab.public domain and send a bounce message to the sender joe@lab.pub, the bounce messages will have know the RCPT field RCTP: joe@public, the Cisco ESA receives these bounce messages and propagated inside your email infrastructure, this is bad and useless thousand messages entering and bringing down your email infrastructur.

The Bounce Verification is very cool feature, the idea is to tell to Cisco ESA, for each outbound mail, tag the message, more precisely, modify the From field in the envelop, let’s say From: joe@lab.pub to From:pvrs=123ABC@lab.pub, the 123ABC represents the tag and is unique, how is it possible to have a unique tag for each user, the tag is calculated by hashing the user and domain portion and very important a secret key.

If illegitmate bounce messages is seen on the listener of the Cisco ESA with RCTP: joe@lab.pub, the Cisco ESA drops these messages because the TAG is missing.

bounce-topo.png

 

1 Comment
stadlmeierroland
Beginner

Hi,

I recently enabled this feature on our ESAs, but instead of rejecting those messages I only tag them and configured a content filter on this tag. I did this by going to the provided Technote provided by Cisco (https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117918-technote-esa-00.html)

But it turned out that legitimate bounces are also marked as invalid. I found a discussion on this forum where this issue is described especially when emails are sent to Exchange (Online) and I assume I run into the same problem.

Is there any workaround to bypass this issue?

Thank you,

Roland