Cisco Cisco Email Security Appliance X1050 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 12 of 22
Addressing From Header Abuse
Sender verification will not stop messages where the Envelope From and From header values do not agree. The
following message was delivered after sender verification was enabled. Here is a sample caught by our Monitor
filter but missed by sender verification.
Figure 11.
“From Header” Abuse
” as an internal sender, and
react to its call to action. For example, sensitive corporate information could be sent back to Reply-To:
<john@mmkt2r2.tztk.ru>. The recipients are unaware of the actual sender’s mailbox
<john@mmkt2r2.tztk.ru>. The recipients are unaware of the actual sender’s mailbox
since they can’t see the Return-Path as well as the Reply-To address in the client (Outlook, for instance), unless
viewing the detailed headers. Most mobile devices cannot provide this detail. Outlook hides it by default.
There are two methods to detect this From value:
1. Publish SPF records for your domain alpha.com, and enable SPF and System Independent Data Format
(SIDF) verification in your default mail flow policy. Set the conformance level to SIDF Compatible and write
either a message filter or a content filter that detects SPF failures stamped into the header. (See Figure 12.)
2. Create a dictionary that accounts for executives. In this case, one entry will be John Chambers. For every
executive name, the dictionary needs to include the username and all possible surnames as terms. When the
Executive Name dictionary is complete, use a content filter or message filter to match on the From header
value for incoming messages. Your dictionary needs to be part of the Monitor filter to catch false postives from
external mail expanders. Be sure to run the system for trial periods before quarantining matches.
Recommended remediation: Create a filter that inspects SPF failures or matches on an Executive Name
dictionary and removes the From header in the body of the message. From header removal will cause the
Envelope From value to automatically be written into the From field. This make
s the actual sender’s address
viewable in the message inbox. Save the original From value in the X-header to support your action (shown on
the next example).
Return-Path: <john.chambers@wsa.train>
Received: from smtp.alpha.com (smtp.alpha.com [192.168.10.101])
by exchange.inside.com (8.13.1/8.13.1) with ESMTP id u3I314R9029303
for <alan@exchange.alpha.com>; Sun, 17 Apr 2016 23:01:04 -0400
Message-Id: <201604180301.u3I314R9029303@exchange.inside.com>
X-IronPort-Headers
Received: from vmware-inside.wsa.train (HELO wsa.train) ([192.168.42.2])
by smtp.alpha.com with ESMTP; 17 Apr 2016 20:02:26 -0700
From: John <john.chambers@alpha.com>
To: All.Alpha.Employees@exchange.inside.com
Subject: Friendly FROM Abuse
Reply-To: <john@mmkt2r2.tztk.ru >
Date: Sat, 16 Apr 2016 15:20:30 -0700
Received: from smtp.alpha.com (smtp.alpha.com [192.168.10.101])
by exchange.inside.com (8.13.1/8.13.1) with ESMTP id u3I314R9029303
for <alan@exchange.alpha.com>; Sun, 17 Apr 2016 23:01:04 -0400
Message-Id: <201604180301.u3I314R9029303@exchange.inside.com>
X-IronPort-Headers
Received: from vmware-inside.wsa.train (HELO wsa.train) ([192.168.42.2])
by smtp.alpha.com with ESMTP; 17 Apr 2016 20:02:26 -0700
From: John <john.chambers@alpha.com>
To: All.Alpha.Employees@exchange.inside.com
Subject: Friendly FROM Abuse
Reply-To: <john@mmkt2r2.tztk.ru >
Date: Sat, 16 Apr 2016 15:20:30 -0700