Stopping “CEO fraud” email scams with Cisco Ironport, Part 1

Recently there’s been an increase in e-mail scams in which the attacker spoofs a message from the C-Level executive and tricks someone at the organization into wiring funds to the schemers. FBI alert and this article go in a lot of details about this attack. My post will be about some of the controls we can put in place to minimize the impact of these email scams.

Cisco Ironport ESA

The first thing we need to do is analyze fraudulent message for headers we can match and filter on. Header info can be accessed from an email client. For example in MS Outlook open message, go to File > Properties. One header of interest will be From. It contains spoofed email id and hides real Envelop Sender. Unfortunately, this field can not be used in message filtering right away. The reason is that by default this header is not logged and need to be enabled for logging in CLI with logconfig command.

(Cluster ESA)> logconfig

Choose the operation you want to perform:
– NEW – Create a new log.
– EDIT – Modify a log subscription.
– DELETE – Remove a log subscription.
– SETUP – General settings.
LOGHEADERS – Configure headers to log.
– HOSTKEYCONFIG – Configure SSH host keys.
– CLUSTERSET – Set how logs are configured in a cluster.
– CLUSTERSHOW – Display how logs are configured in a cluster.

[]> logheaders

//Enter “from” header (headers are not case sensitive)

[]> from

//As more headers added they will show up at the prompt.


(Cluster ESA)> commit

Once enabled headers will show up in Ironport log as following.

(DCID 6314484) Delivery details: Message 18615550 sent to [(\’from\’, \'”John Smith” <>\’)]

Now all we need to do is build an incoming content filter and match spoofed email address under “Other Header” condition.

Ironport Other Header condition

In case we need to add more than one spoofed email to block, add new condition matching person’s email address and select “If one or more conditions match“.

Ironport Other Header condition logical OR

The final action for content filter specify drop and discard.

Ironport Drop (Final Action)

Final Content Filter will look as flowing. Do not forget to attach it to Incoming Mail Policy.

Ironport Content Filter Part 1

In Part 2 I’ll go over combining logical AND and OR and creating exceptions for trusted Marketing campaigns.




Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar