Cisco ESA: Warning disclaimer for all external inbound emails

It seems like every day I see a few phishing emails coming through despite multiple layers of security controls and rules in place and in these cases your users are the final line of defense. Security training, newsletters, and visual banners are all part of user education that can prove useful.

Take the following steps to enable Disclaimer banner on Cisco Ironport Email Security Appliance (ESA).

Go to Mail Policies > Text Resources > Add Text Resource. Give it a name, Select Disclaimer Template and enter your text.

HTML allows you to create Disclaimer that will really stand out.

Below is a sample code:

<table style=”border:1px #000000 solid” border=”0″ bgcolor=”#ffffe0″><tbody><tr><td><font color=”#ff3333″><strong>EXTERNAL EMAIL:</strong></font> Do not click any links or open any attachments unless you trust the sender and know the content is safe.</td></tr></tbody></table><table border=”0″><tbody><tr><td>&nbsp;</td></tr></tbody></table>

And this is how it will appear.

There are 2 places where you can enable this banner. One is under Network > Listeners > select your listener > Disclaimer Above > Select from the list.

The second option will give you better flexibility since it is part of a Content Filter logic. Add it under Mail Policies > Inbound Content Filter > Add Filter.

Add new Content Filter to Incoming Mail Policy. With content filters, you can test new Disclaimer based on source/destination email address or any other allowed Conditional logic.

One of the concerns may be the Disclaimer is too long and it prevents user from previewing email message contents on their mobile device. To address this issue you can shorten email banner to something similar below.

<table style=”border:1px #000000 solid” bgcolor=”#ffffe0″ border=”0″><tbody><tr><td><font color=”#ff3333″><strong>EXTERNAL MESSAGE</strong></font></td></tr></tbody></table><table border=”0″><tbody><tr><td>&nbsp;</td></tr></tbody></table>

This should be sufficient to preview the message and still provide awareness that email was originated from outside.

The effectiveness of this Disclaimer will certainly depend on the number of external emails that a user receives and with time the warnings may be ignored.  Modifying the Disclaimer text or colors at the time of increased suspicious activity will make it easier for users to identify potentially malicious emails.



8 comments On Cisco ESA: Warning disclaimer for all external inbound emails

Leave a Reply to John Cancel Reply

Your email address will not be published.

Site Footer

Sliding Sidebar