Cisco Cisco Email Security Appliance X1050 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 7 of 22
●
Track and update members in your SPOOF_ALLOW sender group (HAT), if you have one
●
Track and update allowed senders in your SPF records, if you publish them
●
Drop positively identified spam
●
Enable graymail detection and flag or place instances in the spam quarantine
●
Enable URL filtering to give visibility into URL-based threats
●
Enable message modification in outbreak filters to rewrite suspicious and malicious URLs
●
Publish your company’s DKIM, SPF and DMARC records
●
Enable DMARC verification
●
Modify your HAT to address spoofing (see below)
Details on these best practices are available at:
Note: Publishing DNS TXT records for sender authentication gives you better fraud detection than maintaining
dictionaries alone. However, methods of publishing these are beyond the scope of this white paper.
dictionaries alone. However, methods of publishing these are beyond the scope of this white paper.
Host Access Table Modification to Prevent Spoofing
Look at decision blocks 2, 3, and 4 in Figure 5. Incoming messages that fail a DNS check or do not have any
SBRS scores will drop to the UNKNOWNLIST. To avoid that result for messages that spoof with Envelope From
abuse, we’ve segmented off part of the UNKNOWNLIST SBRS range for a CAUTION_LIST (see Figure 6).
“Include SBRS Scores of None" is included in group 4, and “Connecting Host DNS Verification” is included in group
abuse, we’ve segmented off part of the UNKNOWNLIST SBRS range for a CAUTION_LIST (see Figure 6).
“Include SBRS Scores of None" is included in group 4, and “Connecting Host DNS Verification” is included in group
5.
This segmentation allows you to specialize the mail-flow policies for messages that fail these checks. You may be
introducing delays for some legitimate messages. Not shown here is an ALLOWED_SPOOFER list for legitimate
mailers that can send messages to your organization.
Figure 6. Modified Host Access Table to Address Forged Mail
Some spoofers manually telnet the SMTP connection and accidentally break syntax rules in RFC 2821. . Strict
parsing on the listener will catch some of these (see decision block 1 in Figure 5). But sophisticated attackers won’t
parsing on the listener will catch some of these (see decision block 1 in Figure 5). But sophisticated attackers won’t
be dissuaded.
Forged Mail Resolution
It is not typical for a Cisco customer to encounter all the spoofing variants described in the Problem section, but
many are plagued by at least one. As a case study, we will be framing our suggested solutions for this multi-variant
attack on the alpha.com domain. The suggestions come from Cisco Email Security experts with real-world