As you start blocking spoofed emails based on configuration from the previous post you may need to make a few adjustments to your Incoming Content Filter. One of the them is to change final action for spoofed email from Drop and Discard to Quarantine. This may be needed to store messages for later review and release if found it to be from a legitimate sender.
You may also want to add notification action when spoofed email is quarantined. You can specify either distribution list or personal email. Modify subject line with custom notification and use variable $Subject to populate original text.
Your new Content Filter actions will look as following.
At last, there may be a case when a trusted 3rd party email system has to send email on behalf of the C-level executive to employees.To accommodate such behavior we’ll need to do logical OR on all Executive emails based on “from” field, then logical OR on “Envelop Sender” field for all senders we trust to spoof and combine both results with logical AND.
The content filter allows only logical AND or logical OR so to accomplish this task we’ll have to introduce Content Dictionary as matching condition.
First create dictionaries under Mail Policies > Dictionaries > Add dictionary…
Dictionary Execs will contain all C-level emails.
Dictionary TrustedDomains will contain all 3rd party domains we trust to spoof our emails from.
Next, let’s modify Content Filter to reflect new changes. Dictionaries will do logical OR and Content Filter conditions will be configured with logical AND.
In Part 3 I’ll talk about the message-id field as another way to identify trusted sender and how to trick Ironport to do multiple logical OR within Content Filter logic.