Cisco Cisco Email Security Appliance X1050 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 8 of 22
experience who have been working to protect customers from these attacks. These are guidelines rather than fixed
antidotes for particular problems. Implement these solutions in an ongoing process of monitor, warn, and enforce.
Monitor
You need to monitor all inbound spoofing traffic, legitimate and illegitimate. For that, identify the domain names that
should not be values in the Envelope From or From headers and make them members of a dictionary. We’ve done
should not be values in the Envelope From or From headers and make them members of a dictionary. We’ve done
this in Figure 4 with No_Spoof_Domains. Create a filter and put into a Spoofs quarantine a copy of every email
where the Mail From or the From header matches a domain in the dictionary. Set a reasonable Delete on Expire
policy (possibly 7 days). This practice gives you visibility into what is being spoofed.
Also consider spoofing from legitimate mailer services that are abused by illegitimate clients. Focusing on the From
header, make a dictionary for executive names, called Execs. Also, list internal group names such as “IT-Support-
Services” that should not be in the From header. One form of malware attack is to infect an internal client, causing
header, make a dictionary for executive names, called Execs. Also, list internal group names such as “IT-Support-
Services” that should not be in the From header. One form of malware attack is to infect an internal client, causing
it to harvest the LDAP directory for executive names and group mailing lists. All the possible violations of From and
Mail From values resulting from such a query need to be considered in your Monitor filter. Copy the filter matches
to quarantine and possibly notify the admin with a copied attachment (see Figure 7). Send the original message to
the recipient untouched.
Figure 7. Message Filter: Monitor All Spoof
Warn
Modifying the subject header of incoming messages will break digital signatures. However, until an enforcement
policy is in place, we suggest warning all employees receiving an incoming message with the subject tag [External
Sender] (see Figure 8).
The day that a spoofing attack is realized, you need to begin both the warn and the monitor phases of your
defense. In Figure 4 see the relative positions of these message filters in the pipeline. Once the Enforce filter is in
place, you can remove the warn message filter.