Recently there’s been an increase in e-mail scams in which the attacker spoofs a message from the C-Level executive and tricks someone at the organization into wiring funds to the schemers. FBI alert and this article go in a lot of details about this attack. My post will be about some of the controls we can put in place to minimize the impact of these email scams.
Cisco Ironport ESA
The first thing we need to do is analyze fraudulent message for headers we can match and filter on. Header info can be accessed from an email client. For example in MS Outlook open message, go to File > Properties. One header of interest will be From. It contains spoofed email id and hides real Envelop Sender. Unfortunately, this field can not be used in message filtering right away. The reason is that by default this header is not logged and need to be enabled for logging in CLI with logconfig command.
(Cluster ESA)> logconfig
Choose the operation you want to perform:
– NEW – Create a new log.
– EDIT – Modify a log subscription.
– DELETE – Remove a log subscription.
– SETUP – General settings.
– LOGHEADERS – Configure headers to log.
– HOSTKEYCONFIG – Configure SSH host keys.
– CLUSTERSET – Set how logs are configured in a cluster.
– CLUSTERSHOW – Display how logs are configured in a cluster.
//Enter “from” header (headers are not case sensitive)
//As more headers added they will show up at the prompt.
(Cluster ESA)> commit
Once enabled headers will show up in Ironport log as following.
(DCID 6314484) Delivery details: Message 18615550 sent to email@example.com [(\’from\’, \'”John Smith” <firstname.lastname@example.org>\’)]
Now all we need to do is build an incoming content filter and match spoofed email address under “Other Header” condition.
In case we need to add more than one spoofed email to block, add new condition matching person’s email address and select “If one or more conditions match“.
The final action for content filter specify drop and discard.
Final Content Filter will look as flowing. Do not forget to attach it to Incoming Mail Policy.
In Part 2 I’ll go over combining logical AND and OR and creating exceptions for trusted Marketing campaigns.