In this article I will briefly discuss some content filters that I think could come in handy for IronPort ESA users.
\nSome of these can also be useful for outbound mail – for example, you should detect and notify when executables are sent outbound as it could be indicative of an internal outbreak which you obviously want to know about.<\/p>\n
<\/p>\n
Use this content filter to block malicious e-mails (usually based on file type) that are based on active\/in-the-wild exploits. For example, the 0-day .RTF exploit late last year that could cause remote code execution just by viewing a .RTF attachment in Outlook.<\/li>\n
Set the condition: Other Header –> Header Name: X-Bounce-Valid<\/strong> with header value: Equals = Failed<\/strong>.<\/p>\n This filter will drop bounce backs from spoofed e-mails. i.e., a bounce back from someone you didn’t e-mail in the first place.<\/li>\n Use this filter to quarantine hard fail SPF e-mails. Similar to the above whereby a message is signed with a digital signature defined by the domain keys in DNS. If a message is sent without the correct keys then it is likely that the message is spoofed.<\/li>\n Create a content dictionary with ‘bad’ file types. There are plenty of comprehensive lists online which have some good recommendations on what you should and shouldn’t block to keep your e-mail environment healthy. Define a content filter for URL categories to be blocked by the IronPort. Here I also added a condition to block e-mails which have ‘dropbox.com’ in the body. I have noticed in the past that a lot of malicious files are linked via Dropbox so better to be safe than sorry.<\/li>\n Set a content filter for malicious and suspicious URLs as this can block a lot of spam and malicious e-mails.<\/li>\n Some legal departments insist on an outbound legal disclaimer (footer) to be applied to mail. This is pretty straight forward to do on the IronPort. That’s it for now! If I come across any other useful filters I will follow up with another post or update this one.<\/p>\n Feel free to share your most used filters in the comments section below!<\/p>\n","protected":false},"excerpt":{"rendered":" In this article I will briefly discuss some content filters that I think could come in handy for IronPort ESA users. Some of these can also be useful for outbound mail – for example, you should detect and notify when executables are sent outbound as it could be indicative of an internal outbreak which you […]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[135,161],"class_list":["post-1375","post","type-post","status-publish","format-standard","hentry","category-tech","tag-cisco-ironport","tag-content-filters"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-mb","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=1375"}],"version-history":[{"count":18,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1375\/revisions"}],"predecessor-version":[{"id":2485,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1375\/revisions\/2485"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=1375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=1375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=1375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Quarantine SPF<\/strong><\/h3>\n
\nA hard fail means that the sender’s domain administrator has explicitly defined hosts that are permitted to send e-mails on behalf of the domain. This content filter will check the sender’s IP against the SPF DNS record and if there is a match, the message is allowed.
\nSet the condition: SPF Verification: Is = Fail<\/strong><\/li>\nQuarantine DKIM hard fail<\/strong><\/h3>\n
Quarantine malicious and ‘bad’ file types<\/strong><\/h3>\n
\nMy list consists of:<\/p>\n.com$,.vb$,.vbs$,.vbe$,.cmd$,.bat$,.ws$,.wsf$,.scr$,.shs$,.hta$,.jar$,.js$,.jse$,.lnk$,.bas$,.chm$,.cpl$,.crt$,.hlp$,.inf$,.ins$,.isp$,.msc$,.msi$,.msp$,.mst$,.pif$,.reg$,.sct$,.url$,.wm,$,.wsc$,.wsh$,.exe$<\/pre>\n<\/li>\n
URL categories<\/strong><\/h3>\n
\nSet the condition: URL Category and choose which categories to block in your organisation. Some obvious ones are ‘Adult, Child Abuse Content, Pornography’, etc.<\/p>\nMalicious and Suspicious URL Reputation<\/strong><\/h3>\n
Legal Disclaimer (Outbound Only)
\n<\/b><\/h3>\n
\nSimply create a Text Resource\u00a0<\/em>under\u00a0Mail Policies<\/em> and choose the\u00a0Add Disclaimer Text<\/em> option in the content filter.
\nP.S. By not adding any conditions to this filter, it will\u00a0always<\/span> apply.<\/li>\n<\/ol>\n