Cisco Cisco Email Security Appliance X1050 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 10 of 22
Addressing Envelope From Abuse
Below
are the logs from two messages in Alan’s mailbox titled “Mail From Abuse” and “Know your Benefits update
from Alpha.” Note that wsa.train is an illegitimate sender, and mail.outside.com is a legitimate one.
Note: In the above logs, the From and To fields are actually “mail from“ and “rcpt to,“ respectively, in the SMTP
envelope. The same is true for message tracking reports. The following proceedure using sender verification will
envelope. The same is true for message tracking reports. The following proceedure using sender verification will
drop mail for violations in the SMTP connection. You can also do the same with a message filter.
Recommended remediation: Identify legitimate and illegitimate in the Mail From field. Allow legitimate senders
while blocking illegitimate ones by configuring:
●
Mail flow policy
●
HAT
●
Exception table
Or view the Cisco video at:
When using sender verification, you must know the details of any legitimate mailers so that you can add their
domains to your SPOOF_ALLOW sender group. Sender verification will block all domains that use your domain in
the Envelope From, including legitimate senders, if you don’t implement exceptions for them. Messages that
the Envelope From, including legitimate senders, if you don’t implement exceptions for them. Messages that
illegitimately use your domain will be dropped at the beginning of the SMTP conversation in the listener at the HAT.
See Figure 4 for this position in the pipeline.