Stopping “CEO fraud” email scams with Cisco Ironport, Part 2

As you start blocking spoofed emails based on configuration from the previous post you may need to make a few adjustments to your Incoming Content Filter. One of the them is to change final action for spoofed email from Drop and Discard to Quarantine. This may be needed to store messages for later review and release if found it to be from a legitimate sender.

Ironport Quarantine Action

You may also want to add notification action when spoofed email is quarantined. You can specify either distribution list or personal email. Modify subject line with custom notification and use variable $Subject to populate original text.

Ironport Spoof Alert Action

Your new Content Filter actions will look as following.

Ironport Spoof Alert and Quarantine Action

At last, there may be a case when a trusted 3rd party email system has to send email on behalf of the C-level executive to employees.To accommodate such behavior we’ll need to do logical OR on all Executive emails based on “from” field, then logical OR on “Envelop Sender” field for all senders we trust to spoof and combine both results with logical AND.

The content filter allows only logical AND or logical OR so to accomplish this task we’ll have to introduce Content Dictionary as matching condition.

First create dictionaries under Mail Policies > Dictionaries > Add dictionary…

Dictionary Execs will contain all C-level emails.

Ironport Spoof Dictionary Exec

Dictionary TrustedDomains will contain all 3rd party domains we trust to spoof our emails from.

Ironport Spoof Dictionary Trusted Domains

Next, let’s modify Content Filter to reflect new changes. Dictionaries will do logical OR  and Content Filter conditions will be configured with logical AND.

Ironport Content Filter Part 2

In Part 3 I’ll talk about the message-id field as another way to identify trusted sender and how to trick Ironport to do multiple logical OR within Content Filter logic.



Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar