How to make spam your best friend on your e-mail appliance
Nicole Wajer – Consulting Systems Engineer
BRKSEC-2325
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
• Spam has plagued the Internet pretty much since its inception. For a while it appeared like the spam problem was more or less under control. However, in the meanwhile spammers have developed new techniques and the problem is as bad as ever which we call today Ransomware. This intermediate session will provide an overview of Best Practises to mitigate the problem. It will provide an overview of the techniques that can be used to fight spam and how to configure them on your e-mail appliance.
BRKSEC-2325 3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4BRKSEC-2325
http://www.tagesanzeiger.ch/sonntagszeitung/dny/hacker-erpressen-hoteliers/story/12093156
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKSEC-2325
http://www.tagesanzeiger.ch/sonntagszeitung/dny/hacker-erpressen-hoteliers/story/12093156
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A note about Best Practices…
• Throughout the material we will present options for tuning your environment
• These are meant to be general guidelines, and as each environment is unique, it is recommended that settings be set in monitor mode first
• After a determined time, perform analysis and tuning of rules and settings to achieve the desired result
BRKSEC-2325 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Nicole
Nicole Wajer Consulting Systems Engineer
@vlinder_nl
EMEAR (North)
Joined Cisco Dec 2007
Now Content Security & IPv6
7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your Reference
• There are (many...) slides in your print-outs that will not be presented.
• They are there “For your Reference”
For YourReference
BRKSEC-2325 8
• HAT / IPAS / Graymail
• Advanced Malware Protection
• URL Filtering
• Attachment Control and Defense
• Tips & Tricks
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Email Pipeline
Encryption
Virtual Gateways
Delivery Limits
Received: Header
Domain-Based Limits
Domain-Based Routing
Global Unsubscribe
S/MIME Encryption
DKIM Signing
Bounce Profiles
Message Delivery
LDAP RCPT Accept (WQ)
Masquerading (Table / LDAP)
LDAP Routing
Message Filters
Anti-Spam
Anti-Virus
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
Pe
r-P
olic
y S
ca
nn
ing
Host Access Table (HAT)
Received Header
Default Domain
Domain Map
Recipient Access Table (RAT)
Alias Table
LDAP RCPT Accept
SMTP Call-Ahead
DKIM / SPF Verification
DMARC Verification
S/MIME Verification
SMTP SERVER WORKQUEUE SMTP CLIENT
BRKSEC-2325 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• HATs are associated per listener, defined as being Public or Private. Once a listener is defined they cannot be changed.
• Private listeners have no Recipient Access Table - best used for outbound facing mail traffic. No restrictions for domains
• The structure of the HAT is defined by the listener type, once created a default configuration is loaded.
• Mail Flow Policies (MFP) are also created based on the listener type, thus a MFP such as Relayed would not be created until a Private Listener is defined, or created manually
Host Access Table (HAT) Structure
Host Access Table (HAT)
Received Header
Default Domain
Domain Map
Recipient Access Table (RAT)
Alias Table
LDAP RCPT Accept
SMTP Call-Ahead
DKIM / SPF Verification
DMARC Verification
S/MIME Verification
SMTP SERVER
BRKSEC-2325 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• IPs and Hosts are evaluated in the HAT Top Down, First Match
• SenderGroups are containers that define the policy based on match
• Inclusion into a SenderGroup is defined by Reputation Score, DNS, or explicit match
Host Access Table Structure
BRKSEC-2325 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• SenderBase score can be attached to the SenderGroups, ensure that the neutral and no score ranges are addressed
• Within the settings you define the Name, Mail Flow Policy
• Nomenclature is important as it will be displayed in logs and reports
• SBRS scores can be assigned to the group
SenderGroup Options
Thu Jun 9 13:40:34 2016 Info: New SMTP ICID 8 interface Management (10.10.10.90) address 94.46.249.12
Thu Jun 9 13:40:34 2016 Info: ICID 8 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -2.1Thu Jun 9 13:40:34 2016 Info: Start MID 410 ICID 8
Note that SBRS uses multiple sources including honeypots and DNSBLs
BRKSEC-2325 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Connecting host PTR record does not exist in DNS.
• Connecting host PTR record lookup fails due to temporary DNS failure.
• Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).
SenderGroup Options
BRKSEC-2325 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Email Reputation
-10
IP Reputation Score
Spam TrapsComplaint
Reports
IP Blacklists
and Whitelists
Message
Composition
Data
Compromised
Host Lists
Website
Composition
Data
Global Volume
Data
Domain
Blacklist and
Safelists
Other Data
Geo-Location
data
Host Data
DNS Data
0 +10
• Breadth and quality of
data makes the
difference
• Real-time insight into
this data that allows us
to see threats before
anyone else in the
industry to protect our
customers
BRKSEC-2325 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HAT – Host Access Table
• Systems are added to the various Sender Groups manually by adding the sender’s IP address, host name, or partial host name, or they fall into a particular sender group due to their reputation score.
BRKSEC-2325 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to Configure Block/White List just 1 Sender?
BRKSEC-2325 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to Configure Block/White List - 2
BRKSEC-2325 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to Configure Block/White List - 3
BRKSEC-2325 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Block/Whitelist FULL Domain/IP = HAT
BRKSEC-2325 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Block/Whitelist FULL Domain/IP = HAT
BRKSEC-2325 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reputation: DNS and caching
• DNS is the most critical external service for the ESA
• By default there are 4 DNS lookups per request: Reverse DNS, 2 SBRS lookups and a Number of requests per connection – default
• With SPF, DKIM and DMARC – 3 or more DNS TXT record lookups
• At least 7 possible DNS lookups per connection (excluding any caching)
• Now factor in outbound destination DNS resolution, LDAP, internal hosts, etc.
• More resolvers in high connection environments
• So what if I use the Cisco Umbrella DNS Resolvers?
BRKSEC-2325 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESA – Relay host – Not First Hop
• If you allow another MTA to sit at your network’s perimeter and handle all external connections, then the Email Security appliance will not be able to determine the sender’s IP address
• The solution is to configure your appliance to work with incoming relays. You specify the names and IP addresses of all of the internal MX/MTAs connecting to the Cisco appliance, as well as the header used to store the originating IP address
BRKSEC-2325 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Relay Host Configure
• Network Incoming Relays
BRKSEC-2325 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Receive header for Relay List
30BRKSEC-2325
Received: from <hop5>
Received: from <hop4>
Received: from <hop3>
Received: from <hop2>
Received: from <hop1>
<snip>
Received: from mail.spaansekubus.net ([193.172.32.4])
by alln-inbound-m.cisco.com with ESMTP/TLS/AES256-GCM-SHA384; 19 Feb
2017 15:36:09 +0000
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Antispam
• Mail Policies -> Incoming Mail Policies
BRKSEC-2325 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spam Options
• Positively-Identified spam is email that is known spam.
• Suspected Spam is email that has characteristics of spam, but has not been confirmed as spam yet.
• Emails identified as positively identified spam and suspected spam can be delivered, dropped, sent to spam quarantine, or bounced with an additional option to send to an alternate host.
BRKSEC-2325 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IronPort Anti-Spam (IPAS)
Moderate:
Positive Spam = 85
Suspect Spam = 45
Always Scan 1MB or Less
Never Scan 2MB or More
Aggressive:
Positive Spam = 80
Suspect Spam = 39
Always Scan 2MB or Less
Never Scan 2MB or More
Conservative: Unchanged
always scan set at least to 1M
BRKSEC-2325 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Graymail
Enable Graymail Dectection
BRKSEC-2325 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Graymail
• Marketing Message Detection is off by default.
• Recommendation for each incoming mail policy, • Mark the message subject line with the text “[MARKETING],” and deliver it to the end user is
company policy permits.
• Marketing messages make up a large percentage of the complaints regarding missed spam. Tagging them allows email administrators to do what they feel is best for their organisation: drop, quarantine, or deliver marketing messages. Alternatively, the email administrator could create a rule to place such messages in the user’s Outlook Junk Mail folder or simply allow the end users to create their own rules for handling those messages.
BRKSEC-2325 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spam vs Graymail - 1
• Spam is an email that the recipient didn’t opt to choose (unsolicited) and generally has embedded links, pictures and other documents that may be disguised to look legit, but are actually malicious in nature. Spam emails are intended to fool the recipient and cause harm to the end users environment. For more information on Spam, please refer to the CAN-SPAM Act of 2003.
BRKSEC-2325 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spam vs Graymail - 2
• In short: Graymail is an email that the recipient “opted” to receive, but don’t really want them in their inbox. A good example is when you go shopping and provide your email address to receive coupons/discounts and other notifications from that vendor. These emails are known as graymail, you opted to receive them, but after a while you grow tired of how much of the annoying emails the vendor sends and thus ends up being reported as spam, which it isn’t at all.
BRKSEC-2325 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Graymail Tunning Checklist
• Enable Graymail Detection
• Tick Box ‘Marketing’ in Graymail Settings
• Set to Delivery
• If business allows ‘prepend’ [MARKETING] to subject
44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Advanced Malware Protection?
BRKSEC-2325 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP on ESA with Threat Grid Public CloudDetailed Flow Chart
Calculate
SHA256
SPERO
Send File
Reputation
Check
Check
Disposition
Reputation
Filtering
Anti SPAM
Anti Virus
Content
Filters
Outbreak
Filters
AMP
Disposition
= good
Disposition
= unknown Check
Upload
Action
Disposition
= malware
Drop or
Deliver Mail
Mail attachments
send to AMP
Pre
Class.
Upload
Action
≠ 1
Upload Action
= 1
Queue Mail
for Delivery
No
Yes
quaratine timer expired
Poke File in
AMP Cloud
Threat Score
>= 95
Poke File in
AMP Cloud
= Threat Grid cloud marks the SHA256 of the file with
disposition = malicious almost instantaneous
Upload to
Threat Grid
yes, analysis
completedQuery TG
File
known?
no
Quarantine
& Track
yes, analysis
running
analysis completed
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP on ESA – Pre-Classification
• Before an unknown file is submitted there is a pre-classification engine to select only files with active or suspicious content
• Pre-classification signatures
• Byte code rules that detect suspicious indicators such as • Embedded – Macros, EXE’s, Flash.
• PDF within PDF, Corrupt Headers, Invalid XREF etc.
• Signatures provided and hosted by Talos
• Product checks for new updates once every 30 minutes
• This is relevant for any deployment of AMP on ESA and WSA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Malware Protection (AMP)
• Advanced Malware Protection is integrated on the ESA
• Provides the ability for File Reputation, File Sandboxing, and File Retrospection
• Combined with native URL filtering ESA provides full malware and phishing detection
BRKSEC-2325 51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP on ESA with Threat Grid Public CloudConsiderations
• If the file was submitted to Threat Grid cloud and got a Threat Score >= 95 then the Threat Grid cloud will update the file disposition in the AMP cloud for this SHA256 instantaneously
• ESA does not act on a Threat Score from Threat Grid Cloud directly
• ESA only waits for the analysis to finish and then sends the file through AV and AMP again
• Malware will be convicted by AMP due to the adjusted disposition !!
• Thus ESA heavily relies on Threat Grid poking file dispositions into AMP cloud
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tell me more about AMP&TG
BRKSEC-2325
BRKSEC-2890
AMP Threat Grid integrations with Web, Email and Endpoint Security - Thursday 11:30
53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Filtering
• Security Services -> URL Filtering
• By default, the URL Filtering goes across all URL, but you have the possibility to “whitelist” certain URL. This can be useful for internal domains and URL, that will of course not have a reputation score or a URL Category
BRKSEC-2325 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Rewriting
• Outbreak Filter has the option to “rewrite” a URL. URL is no longer pointing directly to the destination but will now be redirected over the Cisco Cloud Web Security Proxy
BRKSEC-2325 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outbreak Filter – URL Rewrite
BRKSEC-2325 57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Rewriting - continued
• It is recommended to rewrite only URLs that are not signed.
• If a URL is digitally signed, the rewriting would make the signature no longer valid.
• If the user clicks on the URL he will be redirected to the Cloud Web Security Proxy:
BRKSEC-2325 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL with Content Filter - Condition
• URL filtering in two places (CASE & Outbreak Filter) but can also pro-actively be scanned by Content Filter
BRKSEC-2325 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL with Content Filter - Action
BRKSEC-2325 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mallicious URL - Outbreak Filters in action
• Outbreak Filter can still stop Malicious URL’s – no rewrite needed
BRKSEC-2325 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Turn on URL scores in Message Tracking
• Default no URL score in Message Tracking
• On CLI this must be turned ON
• <hostname-esa> “outbreakconfig”
BRKSEC-2325 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Turn on URL scores in Message Tracking
• Default no URL score in Message Tracking
• On CLI this must be turned ON
• <hostname-esa> “outbreakconfig”
BRKSEC-2325 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Filtering Checklist
• Enable URL Filtering on the ESA
• Enable Web Interaction Tracking (if permitted by policy)
• Enable certain admin users URL visibility in Message Tracking if permitted by policy)
• Enable Threat Outbreak Filtering and message modification – warn your users!
• Whitelist your partner URLS, use the scores to create filter for others
• Combine the reputation rules and leverage language detection as part of the logic
• Use the policies to define the level of aggression for rule sets
BRKSEC-2325 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Forged Email Detection will look for permutations in the Display Name and the prefix of the email address in the From Header
• Use this rule to look for matches against a dictionary of names that are exact or some form of typo squatting
• i.e: Han S0lo, Han Slo, Han So1o
Forged Email Detection (New for 10.0)
BRKSEC-2325 66
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• In this example, we took the from header and stripped it from the message if the match was 70 or above
• Combined with a warning disclaimer this would expose the bad sender while warning the end user
• Idea here is that for names that are low threshold matches, you can use the strip header to expose envelope sender – if it is legitimate, it won’t disrupt mail flow
• If all else fails, warn the user of a potential issue by using a disclaimer text on top of the message
Forged Email Filters
Info: MID 2089 Forged Email Detection on the From: header with score of 100, against the dictionary entry Han Solo
BRKSEC-2325 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spoofing Checklist
• Know who your allowed external spoofs are by tracking them via filters and policies
• Build the list as the exception, trap all others
• With 10.0 use the Forged Email Detection Feature to look for matches on the display name, if too close to call, drop the From header
• Send a copy of suspected spoofs to a quarantine for review and then tune your rules to start blocking messages
• Make a plan to enable SPF, DKIM and DMARC
BRKSEC-2325 68
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What about SPF/DKIM & DMARC?
BRKSEC-2325
BRKSEC-3540
I wonder where that Phish
has gone – Tuesday @ 16:45
69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Overview
• While macros enable extended functionality in documents, spreadsheets, and more, they are of concern to customers since they can be an infection vector.
• This feature gives customers the ability to identify macros in PDF, Office, and OLE file types and several options for handling them including:
• Strip Attachment with Macro
• Quarantine message
• Drop message
• Change Recipent
• Send Copy (BCC)
• And more
Macro Enabled Attachment Handling
71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Macro Detection
• The Content Filter Condition sets the file types to be scanned for macros and can include:
• Adobe PDF
• Microsoft Office files
• OLE file types
• This Condition is available for both inbound and outbound Content Filters
New Content Filter Detection
72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Strip Attachment with action
Many of the other Content Filter Actions can be taken on messages containing macros, including:
• Drop Message
• Quarantine
• Change Recipient
• Send Copy (BCC)
• Add Disclaimer Text
• Prepend subject with warning message
73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Macro DetectionUsing Message Filters
This feature is also available in Message Filters using the new
Message Filter rule:
• macro-detection-rule()
And the new Message Filter action:
• drop-macro-enabled-attachments()
Similar to the Content Filter version, other actions can be taken
on the messages to drop the message, redirect it, and more.
BRKSEC-2325 74
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Why is Telemetry important
• Give Talos insight on targeted attacks
• By Enabling in GUI you give ‘Limited Service’
• Hidden CLI command to give more details to Talos - "fullsenderbaseconfig"
78
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Telemetry – What it send to Talos?
• When enabled, the Context Adaptive Scanning Engine (CASE) is used to collect and report the data (regardless of whether or not Cisco anti-spam scanning is enabled)
• The data is summarized information on message attributes and information on how different types of messages were handled by Cisco appliances. We do not collect the full body of the message
http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/200440-Web-Sender-Base-
Network-Participation-W.html#anc5
79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Telemetry"fullsenderbaseconfig"
80
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
Use your browser to get the log files
• Log into the ESA/CES instance
• Check System Administration -> Log Subscriptions the name of the log file case-sensitive
• Change the <ESA_or_CES_URL> to your instance in the URL below
• Paste the URL into the browser https://<ESA_or_CES_URL>/cluster/system_administration/log_list?log_type=amp
• Change the log_type if you want mail logs replace amp with mail_logs
82
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2325
IPv6
HAT RAT Routes Filters Destination
Controls
Trace NIC Pairing Outbreak
Filters
TLS SMTP
Routes
SMTP Call-
ahead
Admin ACL Tracking Reporting Http(s)/Ssh
86
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
In Summary
• The days of set it and forget it are long gone – continuous monitoring and tuning are required to keep up with todays threats
• Understand what your organizations security posture is and apply it to your appliances
• Keep your appliances updated – we are constantly introducing new features that require upgrades / updates
• Check out our Chalktalks on Youtube and Guides on Cisco.com to help with tuning and setup new features on Cisco Email Security
• Enable Senderbase Participation – especially useful for targeted attacks
BRKSEC-2131 94
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary of Recommendations
95BRKSEC-2131
CLI Level Changes Web Security SDS URL Filtering
websecurityadvancedconfig >
disable_dns=1 , max_urls_to_scan=20 , num_handles=5 , default_ttl=600
URL Logging outbreakconfig> Do you wish to enable logging of URL's? [N]> y
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html
Clean URL Rewrites websecurityadvancedconfig > Do you want to rewrite all URLs with secure proxy
URLs? [Y]> n
Anti-Spoof Filter https://supportforums.cisco.com/sites/default/files/attachments/discussion/forged
_email_detection_with_cisco_email_security.pdf
Header Stamping FilteraddHeaders: if (sendergroup != "RELAYLIST")
{
insert-header("X-IronPort-RemoteIP", "$RemoteIP");
insert-header("X-IronPort-MID", "$MID");
insert-header("X-IronPort-Reputation", "$Reputation");
insert-header("X-IronPort-Listener", "$RecvListener");
insert-header("X-IronPort-SenderGroup", "$Group");
insert-header("X-IronPort-MailFlowPolicy", "$Policy");
}
Security Services IronPort Anti-Spam
Always scan 1MB and Never scan 2MB
URL Filtering Enable URL Categorization and Reputation
Enable Web Interaction Tracking
Graymail Detection Enable and Maximum Messages size 1 MB
Outbreak Filters Enable Adaptive Rules, Max Scan size1 MB
Enable Web Interaction Tracking
Advanced Malware Protection Enable additional file types after enabling feature
Message Tracking Enable Rejected Connection Logging (if required)
System Administration Users
Set password policies
If possible leverage LDAP for authentication
Log Subscriptions Enable Configuration History Logs
Enable URL Filtering Logs
Log Additional Header ‘From’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary of Recommendations
96BRKSEC-2131
Incoming Mail Policies Anti-Spam thresholds
Positive = 90, Suspect = 39
Anti-Virus Don't repair, Disable Archive Message
AMP Add "AMP" to Subject Prepend for Unscannable, Disable Archive Message
Graymail Scanning enabled for each Verdict, Prepend Subject and Deliver
Add x-header for Bulk email header = X-BulkMail, value = True
Outbreak Filters Enable message modification. Rewrite URL for unsigned message.
Change Subject prepend to: [Possible $threat_category Fraud]
Outgoing Mail Policies Anti-Virus
Anti-Virus Virus Infected: Prepend Subject: Outbound Malware Detected: $Subject.
Other Notification to Others: Order form admin contact
Anti-virus Unscannable don't Prepend the Subject
Uncheck Include an X-header with the AV scanning results in Message
Host Access Table Additional SenderGroups
SKIP_SBRS – Place higher for sources that skip reputation
SPOOF_ALLOW – Part of Spoofing Filter
PARTNER – For TLS Forced connections
In SUSPECTLIST Include SBRS Scores on None
Optionally, include failed PTR checks
Aggressive HAT Sample BLACKLIST [-10 to -2] POLICY: BLOCKED
SUSPECTLIST [-2 to -1] POLICY: HEAVYTHROTTLE
GRAYLIST[-1 to 2 and NONE] POLICY: LIGHTTHROTTLE
ACCEPTLIST [2 to 10] POLICY: ACCEPTED
Mail Flow Policy (default) Security Settings
Set TLS to preferred
Enable SPF
Enable DKIM
Enable DMARC and Send Aggregate Feedback Reports
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97BRKSEC-2131
Summary of Recommendations
Policy Quarantines Pre-Create the following Quarantines
Inappropriate Inbound
Inappropriate Outbound
URL Malicious Inbound
URL Malicious Outbound
Suspect Spoof
Malware
Other Settings Dictionaries
Enable / Review Profanity and Sexual Terms Dictionary
Create Forged Email Dictionary with Executive Names
Create Dictionary for restricted or other keywords
Destination Controls Enable TLS for default destination
Set lower thresholds for webmail domains
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118573-technote-esa-00.html
Content Filters Inappropriate Content Filter
Conditions Profanity OR Sexual dictionary match, send a copy to the Inappropriate quarantine.
URL Malicious Reputation Content Filter Send a copy to the URL Malicious (-10 to -6) to quarantine.
URL Category Content Filter with these selected Adult, Pornography, Child Abuse, Gambling.
Send a copy to the Inappropriate quarantine.
Forged Email Detection Dictionary named "Executives_FED"
FED() threshold 90 Quarantine a copy.
Macro Enabled Documents content filter if one or more attachments contain a Macro
Optional condition -> From Untrusted SBRS range
Send a copy to quarantine
Attachment Protection if one or more attachments are protected
Optional condition -> From Untrusted SBRS range
Send a copy to quarantine
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark Ask Questions, Get Answers, Continue the Experience
Use Cisco Spark to communicate with the Speaker and fellow participants after the session
Download the Cisco Spark app from iTunes or Google Play
1. Go to the Cisco Live Berlin 2017 Mobile app
2. Find this session
3. Click the Spark button under Speakers in the session description
4. Enter the room, room name = BRKSEC-2325
5. Join the conversation!
The Spark Room will be open for 2 weeks after Cisco Live
BRKSEC-2325 98
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
99BRKSEC-2325
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education• Demos in the World of Solutions – Security Area
• Meet the Engineer 1:1 meetings
• Meet Nicole Wajer
• Tweet @vlinder_nl #CLEUR
• BRKSEC-3540 - I wonder where that Phish has gone – Today at 16:45
• LTRSEC-2009 - Lab Email Security ESA 10.0
• LALSEC-2005 - Lunch and Learn - Cisco Email Security - Wednesday 22 February 13:00 - 14:30
• BRKSEC-2890 - AMP Threat Grid integrations with Web, Email and Endpoint Security -Thursday 11:30
BRKSEC-2325 100
Top Related