Cisco Cisco Email Security Appliance X1050 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 20 of 22
You can also create a filter that matches the From value being an executive name destined to multiple recipients.
But for counting multiple recipients you need to use a message filter shown in Figure 22. The rcpt-count depends
on the organization. Either of the filters in Figures 20 or 22 will result in the modified message in Figure 21.
Figure 21. Message Filter Remediation of Free Email Account Abuse
Comprehensive Configuration to Address All Listed Spoofing Types
The following filters represent all the concepts presented in t
his paper. We’ve tested the scripts that were
presented earlier against this configuration and obtained the same results as the individual filters. Like the earlier
material, this is presented only as a suggestion for your environment. We have set the conditions for a positive
spoof of Envelope From abuse, From header abuse, cousin domain abuse, or free mail abuse in the message filter
block and then remediate the matches with content filters.
There are different mail policies for executive and nonexecutive recipients, as shown below. Spoofs to executives
have their headers modified and are “quarantine copied” to a policy quarantine. Any spoofs to nonexecutives have
have their headers modified and are “quarantine copied” to a policy quarantine. Any spoofs to nonexecutives have
their headers modified and are sent to the spam quarantine. As you become more confident of your filter efficacy,
you can change the quarantine copied to quarantine.
Positive_Spoof:
If sendergroup!=..
If sendergroup!=..
Free_Mail_Spoof:
If sendergroup!=..
If sendergroup!=..
Incoming Mail Policies
Message
Filters
Filters