Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Anti-spoofing rule

I am trying to create a antispoofing rule using message filter feature.

It is like

if ( header("from") == "@*mydomain\\.com$" ) { apply anti-spoofing rules here; }

But the rough part is to be able to whitelist certain hosts, e.g., our partners.

For example:

AND ( header("Received") != "whitelist1|whitelist2...." )

Is there a better way to do this? My concern is that this will get very long and error prone over time.


Thanks,
Jack

5 REPLIES
Community Member

Re: Anti-spoofing rule

I think the question is "what are you trying to achieve?"

Cisco Employee

Re: Anti-spoofing rule

What if you add all your partner ip addresses/domains to a sendergroup called 'partner_whitelist'.

Next, you can modify your existing filter to bypass spoofing checks from partner domains:

if (( header("from") == "@*mydomain\\.com$" ) AND (sendergroup != 'partner_whitelist'))
{ apply anti-spoofing rules here; }

Community Member

Re: Anti-spoofing rule

I would also have a look at Knowledge Base Article 115. this describes some of the risks and gives a short explanation. You will find a short filter, too.

Dirk

Community Member

Re: Anti-spoofing rule

I forget to mention these boxes are not internet facing. Has anyone tried to use the dictionary?

Cisco Employee

Re: Anti-spoofing rule

Dictionary matching should work as well.

This following example matches an email address in the “to” header and blind copies an administrator:

headerTest:
if (header-dictionary-match ('', 'to')){
bcc('administrator@example.com');
}

334
Views
0
Helpful
5
Replies
CreatePlease to create content