Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3278
Views
0
Helpful
3
Replies

ESA- how do I add an email address to a whitelist sendergroup?

keithsauer507
Level 5
Level 5

‎11-11-2015 11:22 AM

We are trying to use a company called knowbe4 to test our employees on our phishing training and while sometimes our tests go through we are having a tough time with one.

One of these messages keeps ending up in spam and it says CASE spam positive.

I have a sender group called WHITELIST that has three IP addresses that knowbe4 gave us.  This sender group is in a TRUSTED policy where SBRS is not in use.  It looks from the logs that the message comes from PSTBounces@knowbe4.com but if I would try to add this exactly into the whitelist sender list the GUI does not allow me to (seems it only wants IP addresses or CIDR notations).

If I do an nslookup on knowbe4.com with a type of MX I get three google mail servers:

alt2.aspmx.l.google.com internet address = 173.194.65.26
aspmx.l.google.com internet address = 173.194.208.26
aspmx2.googlemail.com internet address = 64.233.190.26

I don't want to just put in these google mail servers because IMO I would think any mail passing from gmail or google would be trusted and that would cause exploits to us in spam, virus or other malicous content using google servers.  So in turn I just want the address PSTBounces@knowbe4.com which does pass spf1 to be trusted.

The IP's Knowbe4 gave me to whitelist are 23.21.109.197, 192.254.121.248 and 23.21.109.212 and those are in there.  Note the message log has it falling all the way down to the last ALL sender group which is below number 7 in the HAT Overview.

Wed Nov 11 12:36:05 2015 Info: Start MID 2495837 ICID 106350
Wed Nov 11 12:36:05 2015 Info: MID 2495837 ICID 106350 From: <PSTBounces@knowbe4.com>
Wed Nov 11 12:36:05 2015 Info: MID 2495837 ICID 106350 RID 0 To: <testuser@domain.com>
Wed Nov 11 12:36:05 2015 Info: MID 2495837 SPF: helo identity postmaster@phishtest.knowbe4.com None
Wed Nov 11 12:36:05 2015 Info: MID 2495837 SPF: mailfrom identity PSTBounces@knowbe4.com Pass (v=spf1)
Wed Nov 11 12:36:05 2015 Info: MID 2495837 DMARC: Verification skipped (No record found for the sending domain)
Wed Nov 11 12:36:05 2015 Info: MID 2495837 Message-ID '<XXTESTXXtestuser-144726336318593@phishtest.knowbe4.com>'
Wed Nov 11 12:36:05 2015 Info: MID 2495837 Subject 'Forever home this holiday season'
Wed Nov 11 12:36:05 2015 Info: MID 2495837 ready 11087 bytes from <PSTBounces@knowbe4.com>
Wed Nov 11 12:36:05 2015 Info: MID 2495837 matched all recipients for per-recipient policy DEFAULT in the inbound table
Wed Nov 11 12:36:07 2015 Info: MID 2495837 interim verdict using engine: CASE spam positive
Wed Nov 11 12:36:07 2015 Info: MID 2495837 using engine: CASE spam positive
Wed Nov 11 12:36:07 2015 Info: ISQ: Tagging MID 2495837 for quarantine
Wed Nov 11 12:36:07 2015 Info: MID 2495837 interim AV verdict using Sophos CLEAN
Wed Nov 11 12:36:07 2015 Info: MID 2495837 antivirus negative
Wed Nov 11 12:36:07 2015 Info: MID 2495837 Outbreak Filters: verdict negative
Wed Nov 11 12:36:07 2015 Info: MID 2495837 DomainKeys: cannot sign - no profile matches foreverfriend@adoptapet.com
Wed Nov 11 12:36:07 2015 Info: MID 2495837 DKIM: cannot sign - no profile matches foreverfriend@adoptapet.com
Wed Nov 11 12:36:07 2015 Info: MID 2495837 queued for delivery
Wed Nov 11 12:36:10 2015 Info: RPC Delivery start RCID 30 MID 2495837 to local IronPort Spam Quarantine
Wed Nov 11 12:36:10 2015 Info: ISQ: Quarantined MID 2495837
Wed Nov 11 12:36:10 2015 Info: RPC Message done RCID 30 MID 2495837
Wed Nov 11 12:36:10 2015 Info: Message finished MID 2495837 done

Labels:
0 Helpful
3 Replies 3

Mathew Huynh
Cisco Employee
Cisco Employee

‎11-12-2015 06:36 PM

Hey Keith,

the WHITELIST at the HAT overview cannot have email addresses added.

If you want an address to bypass your spam scanners

GUI > Mail Policies > Incoming Mail Policies > Add a new policy

Add the sender you would like to 'whitelist' from spam scanners

Once added, submit this policy.

Disable anti-spam scanners for this specific policy.

Then you can also employ a SPF content filter where if SPF did fail for this sender, you can quarantine or action the email via a content filter.

Regards,

Matthew

0 Helpful

keithsauer507
Level 5
Level 5
In response to Mathew Huynh

‎11-13-2015 06:59 AM

Ok I found out that our whitelist had spam scanning turned on by default.  I disabled that and we are able to get our social engineering tests though now by having the 3 IP's our contracted company gave us in that whitelist area.

Thank you!

I was a little confused because the description of that sender group WHITELIST says "My trusted senders have no anti-spam scanning or rate limiting".  IN actuality anti-spam scanning was on.  Never go by the description, always double (and triple) check settings.

Measure twice, cut once I guess!

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to keithsauer507

‎11-13-2015 05:07 PM

Hey Keith,

The WHITELIST from HAT table will not accept 

@domain or sender@domain.com; even with Spam scanning disabled on the TRUSTED mailflow policy.

It will give you the allowance to submit the changes, but won't function as expected.

In the WHITELIST sendergroup you'll need to add entire mail servers to match it.

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents