In this article I will briefly discuss some content filters that I think could come in handy for IronPort ESA users.
Some of these can also be useful for outbound mail – for example, you should detect and notify when executables are sent outbound as it could be indicative of an internal outbreak which you obviously want to know about.
-
Quarantine Active Exploits
Use this content filter to block malicious e-mails (usually based on file type) that are based on active/in-the-wild exploits. For example, the 0-day .RTF exploit late last year that could cause remote code execution just by viewing a .RTF attachment in Outlook.
-
Quarantine or Drop invalid bounce backs
Set the condition: Other Header –> Header Name: X-Bounce-Valid with header value: Equals = Failed.
This filter will drop bounce backs from spoofed e-mails. i.e., a bounce back from someone you didn’t e-mail in the first place.
-
Quarantine SPF
Use this filter to quarantine hard fail SPF e-mails.
A hard fail means that the sender’s domain administrator has explicitly defined hosts that are permitted to send e-mails on behalf of the domain. This content filter will check the sender’s IP against the SPF DNS record and if there is a match, the message is allowed.
Set the condition: SPF Verification: Is = Fail -
Quarantine DKIM hard fail
Similar to the above whereby a message is signed with a digital signature defined by the domain keys in DNS. If a message is sent without the correct keys then it is likely that the message is spoofed.
-
Quarantine malicious and ‘bad’ file types
Create a content dictionary with ‘bad’ file types. There are plenty of comprehensive lists online which have some good recommendations on what you should and shouldn’t block to keep your e-mail environment healthy.
My list consists of:.com$,.vb$,.vbs$,.vbe$,.cmd$,.bat$,.ws$,.wsf$,.scr$,.shs$,.hta$,.jar$,.js$,.jse$,.lnk$,.bas$,.chm$,.cpl$,.crt$,.hlp$,.inf$,.ins$,.isp$,.msc$,.msi$,.msp$,.mst$,.pif$,.reg$,.sct$,.url$,.wm,$,.wsc$,.wsh$,.exe$
-
URL categories
Define a content filter for URL categories to be blocked by the IronPort.
Set the condition: URL Category and choose which categories to block in your organisation. Some obvious ones are ‘Adult, Child Abuse Content, Pornography’, etc.Here I also added a condition to block e-mails which have ‘dropbox.com’ in the body. I have noticed in the past that a lot of malicious files are linked via Dropbox so better to be safe than sorry.
-
Malicious and Suspicious URL Reputation
Set a content filter for malicious and suspicious URLs as this can block a lot of spam and malicious e-mails.
-
Legal Disclaimer (Outbound Only)
Some legal departments insist on an outbound legal disclaimer (footer) to be applied to mail. This is pretty straight forward to do on the IronPort.
Simply create a Text Resource under Mail Policies and choose the Add Disclaimer Text option in the content filter.
P.S. By not adding any conditions to this filter, it will always apply.
That’s it for now! If I come across any other useful filters I will follow up with another post or update this one.
Feel free to share your most used filters in the comments section below!
2 replies on “Cisco IronPort ESA – Useful Content Filters”
Nice article! I have also found it helpful to have a filter for spoofed messages.
Filter with 2 conditions – 1 if Receiving Listener is “External” and 2 if mail-from == “@domain.com$” then Quarantine
The preferable alternative to this would be to set-up SPF DNS records and have the IronPort quarantine e-mails that fail SPF. However if this isn’t possible for whatever reason then this filter could be a good solution.
Keep in mind that the filter may cause issues in certain scenarios so make sure you know your environment well before implementing such filters (for example: Hybrid Office 365 set-ups, legitimate newsletters that send on-behalf as @yourdomain.com, multiple offices in different locations, etc)