Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1792
Views
5
Helpful
4
Replies

Create a copy of inbound mails and place it on a particular queue

Go to solution
pagosojayson
Level 1
Level 1

‎03-19-2018 06:24 PM - edited ‎03-08-2019 07:35 PM

Hi,

 

So I have the below requirements:

 

The objective is to gain a current understanding as to the quantity and type of inbound email with *@client.com to understand the consequence of eventually blocking or quarantining this mail. I need to fully understanding the consequence of blocking any inbound email first by;

 

1. Maintaining current workflow - The email needs to still go though its normal/current path of inspections, checks, and sent to the staff member’s mailbox as per the current process/workflow within Ironport – provided it is not malicious of course. No change here and I am assuming there is very little email coming inbound from our domain.


2. Take a copy of this inbound email with *@client.com to better understand the current business needs versus the consequence of blocking or quarantining this email in the future. What is this email? Where is it coming from? Why? Who is the recipient? Who is the sender? What is the actual risk? I am hoping we can send this copy to a quarantine queue somewhere in Ironport for 30 days and then just auto delete.

 

Can anyone please point me to the right direction

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to pagosojayson

‎03-20-2018 06:39 PM

The duplicate quarantine action sends a copy of the email to the quarantine and the original email would continue processing normally.

 

Also, the action to be taken at the end of retention period and the time to retain can be configured by you when you add or modify a quarantine.

 

Regards,

Libin Varghese

View solution in original post

4 Replies 4

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎03-19-2018 08:06 PM

To get details about an email from @domain.com  you can navigate to Monitor -> Message Tracking and perform a search based on the sender or recipient.

 

To get a copy of specific email to go to a quarantine you can create an incoming/outgoing content filter to look at the sender/recipient domain and perform the duplicate quarantine action (basically quarantine action with duplicate message box checked).

 

You have also create a new policy quarantine with a custom retention time under Monitor -> Policy, Virus and Outbreak quarantines.

 

Regards,

Libin Varghese

 

 

0 Helpful

Go to solution
pagosojayson
Level 1
Level 1
In response to Libin Varghese

‎03-20-2018 06:17 PM

Hi Libin,

 

Thanks a lot for your reply.   I would just like to check if this will actually block those emails if you assign them in a policy quarantine and what would happen to the email after the retention period.  We do not want to block those emails but just create a copy so we can further understand the behaviour.

 

Thanks in advance,

 

Regards,

Jayson

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee
In response to pagosojayson

‎03-20-2018 06:39 PM

The duplicate quarantine action sends a copy of the email to the quarantine and the original email would continue processing normally.

 

Also, the action to be taken at the end of retention period and the time to retain can be configured by you when you add or modify a quarantine.

 

Regards,

Libin Varghese

Go to solution
pagosojayson
Level 1
Level 1
In response to Libin Varghese

‎03-20-2018 09:08 PM

Hi Libin,

 

Thanks a lot for the reply.  I will try the solution you provided.

 

Regards,

Jayson

0 Helpful
Customers Also Viewed These Support Documents