Cisco Cisco Email Security Appliance X1050 Libro blanco

Page 10 of 22

Addressing Envelope From Abuse

Below

are the logs from two messages in Alan’s mailbox titled “Mail From Abuse” and “Know your Benefits update

from Alpha.” Note that wsa.train is an illegitimate sender, and mail.outside.com is a legitimate one.

Note: In the above logs, the From and To fields are actually “mail from“ and “rcpt to,“ respectively, in the SMTP
envelope. The same is true for message tracking reports. The following proceedure using sender verification will

drop mail for violations in the SMTP connection. You can also do the same with a message filter.

Recommended remediation: Identify legitimate and illegitimate in the Mail From field. Allow legitimate senders

while blocking illegitimate ones by configuring:

●

Mail flow policy

●

HAT

●

Exception table

For more information, see the Tech Zone article at:

https://techzone.cisco.com/t5/Email-Security-Appliance-

ESA/Spoof-Protection-using-Sender-Verification/ta-p/273384

Or view the Cisco video at:

https://www.youtube.com/watch?v=mG86aih6Pko&list=PLURIAlKNm1OfUONNsRERA-VtX2WiYNS6P&index=

When using sender verification, you must know the details of any legitimate mailers so that you can add their

domains to your SPOOF_ALLOW sender group. Sender verification will block all domains that use your domain in
the Envelope From, including legitimate senders, if you don’t implement exceptions for them. Messages that

illegitimately use your domain will be dropped at the beginning of the SMTP conversation in the listener at the HAT.

See Figure 4 for this position in the pipeline.