ESA Bootcamp

Cisco Email Security:
Bootcamp
Dragan Novaković, Security Consulting Systems Engineer

dnovakov@cisco.com
Agenda
• Short History of SMTP

• Email Security Architecture
• Routing Email, Bounces, MIME
• The Email Pipeline - Mail Flow Policies, Incoming vs. Outgoing Mail
• Security engines and their parameters - Configuration and Best Practice
• Encryption
• Authentication - Anti-Spoofing and Anti-phishing
Short History of SMTP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
ARPANET in 1971
Source: Heart, F., McKenzie, A., McQuillian, J., and Walden, D., ARPANET Completion Report, Bolt, Beranek and Newman, Burlington, MA, January 4, 1978
The First Email System: SNDMSG & CPYNET
BBN-TENEXB BBN-TENEXA
DEC PDP-10 DEC PDP-10
216 KB memory 288 KB memory
Teletype KSR-33
The First Email Reader!
Source: http://openmap.bbn.com/~tomlinso/ray/ka10.html, retrieved 01 Dec 2014. Photograph courtesy of Dan Murphy,
1981: RFC788, Simple Mail Transfer Protocol
Source: http://mercury.lcs.mit.edu/~jnc/tech/arpageo.html, retrieved 01 December 2014.
1978: The First Spammer, Gary Thuerk!
Mail-from: DEC-MARLBORO rcvd at 3-May-78 0955-PDT
Date: 1 May 1978 1233-EDT
From: THUERK at DEC-MARLBORO
Subject: ADRIAN@SRI-KL
To: DDAY at SRI-KL, DAY at SRI-KL, DEBOER at UCLA-CCN,
To: WASHDC at SRI-KL, LOGICON at USC-ISI, SDAC at USC-ISI,
To: DELDO at USC-ISI, DELEOT at USC-ISI, DELFINO at USC-ISI,
To: DENICOFF at USC-ISI, DESPAIN at USC-ISI, DEUTSCH at SRI-KL,
To: DEUTSCH at PARC-MAXC, EMY at CCA-TENEX, DIETER at USC-ISIB,
To: DINES at AMES-67, MERADCON at SRI-KL, EPG-SPEC at SRI-KA,
To: DIVELY at SRI-KL, DODD at USC-ISI, DONCHIN at USC-ISIC,
To: JED at LLL-COMP, DORIN at CCA-TENEX, NYU at SRI-KA,
To: DOUGHERTY at USC-ISI, PACOMJ6 at USC-ISI,
To: DEBBY at UCLA-SECURITY, BELL at SRI-KL, JHANNON at SRI-KA,
To: DUBOIS at USC-ISI, DUDA at SRI-KL, POH at USC-ISI,
To: LES at SU-AI, EAST at BBN-TENEX, DEASTMAN at USC-ECL,
To: EBISU at I4-TENEX, NAC at USC-ISIE, ECONOMIDIS at I4-TENEX,
To: WALSH at SRI-KL, GEDWARDS at SRI-KL, WEDWARDS at USC-ISI,
To: NUSC at SRI-KL, RM at SU-AI, ELKIND at PARC-MAXC,
To: ELLENBY at PARC-MAXC, ELLIS at PARC-MAXC, ELLIS at USC-ISIB,
To: ENGELBART at SRI-KL, ENGELMORE at SUMEX-AIM,
To: ENGLISH at PARC-MAXC, ERNST at I4-TENEX,
To: ESTRIN at MIT-MULTICS, EYRES at USC-ISIC,
To: FAGAN at SUMEX-AIM, FALCONER at SRI-KL,
To: DUF at UCLA-SECURITY, FARBER at RAND-UNIX, PMF at SU-AI,
To: HALFF at USC-ISI, RJF at MIT-MC, FEIERBACH at I4-TENEX,
To: FEIGENBAUM at USC-ISI, FEINLER at SRI-KL,
To: FELDMAN at SUMEX-AIM, FELDMAN at SRI-KL, FERNBACH at LLL-COMP,
To: FERRARA at RADC-MULTICS, FERRETTI at SRI-KA,
To: FIALA at PARC-MAXC, FICKAS at USC-ISIC, AFIELD at I4-TENEX,
To: FIKES at PARC-MAXC, REF at SU-AI, FINK at MIT-MULTICS,
To: FINKEL at USC-ISIB, FINN at USC-ISIB, AFGWC at BBN-TENEX,
To: FLINT at SRI-KL, WALSH at SRI-KL, DRXAN at SRI-KA,
To: FOX at SRI-KL, FRANCESCHINI at MIT-MULTICS,
To: SAI at USC-ISIC, FREDRICKSON at RAND-RCC, ETAC at BBN-TENEXB,
To: FREYLING at BBN-TENEXE, FRIEDLAND at SUMEX-AIM,
To: FRIENDSHUH at SUMEX-AIM, FRITSCH at LLL-COMP, ME at SU-AI,
To: FURST at BBN-TENEXB, FUSS at LLL-COMP, OP-FYE at USC-ISIB,
To: SCHILL at USC-ISIC, GAGLIARDI at USC-ISIC,
To: GAINES at RAND-UNIX, GALLENSON at USC-ISIB,
To: GAMBLE at BBN-TENEXE, GAMMILL at RAND-UNIX,
To: GANAN at USC-ISI, GARCIA at SUMEX-AIM,
To: GARDNER at SUMEX-AIM, MCCUTCHEN at SRI-KL,
To: GARDNER at MIT-MULTICS, GARLICK at SRI-KL,
To: GARVEY at SRI-KL, GAUTHIER at USC-ISIB,
To: USGS-LIA at BBN-TENEX, GEMOETS at I4-TENEX,
To: GERHART at USC-ISIB, GERLA at USC-ISIE, GERLACH at I4-TENEX,
To: GERMAN at HARV-10, GERPHEIDE at SRI-KA, DANG at SRI-KL,
To: GESCHKE at PARC-MAXC, GIBBONS at CMU-10A,
To: GIFFORD.COMPSYS at MIT-MULTICS, JGILBERT at BBN-TENEXB,
To: SGILBERT at BBN-TENEXB, SDAC at USC-ISI,
To: GILLOGLY at RAND-UNIX, STEVE at RAND-UNIX,
To: GLEASON at SRI-KL, JAG;BIN(1525) at UCLA-CCN,
To: GOLD at LL-11, GOLDBERG at USC-ISIB, GOLDGERG at SRI-KL,
To: GROBSTEIN at SRI-KL, GOLDSTEIN at BBN-TENEXB,
To: DARPM-NW at BBN-TENEXB, GOODENOUGH at USC-ISIB,
To: GEOFF at SRI-KL, GOODRICH at I4-TENEX, GOODWIN at USC-ISI,
To: GOVINSKY at SRI-KL, DEAN at I4-TENEX, TEG at MIT-MULTICS,
To: CCG at SU-AI, EPG-SPEC at SRI-KA, GRISS at USC-ECL,
To: BJG at RAND-UNIX, MCCUTCHEN at SRI-KL, GROBSTEIN at SRI-KL,
To: MOBAH at I4-TENEX, GUSTAFSON at USC-ISIB, GUTHARY at SRI-KL,
To: GUTTAG at USC-ISIB, GUYTON at RAND-RCC,
To: ETAC-AD at BBN-TENEXB, HAGMANN at USC-ECL, HALE at I4-TENEX,
To: HALFF at USC-ISI, DEHALL at MIT-MULTICS,
To: HAMPEL at LLL-COMP, HANNAH at USC-ISI,
To: NORSAR-TIP at USC-ISIC, SCRL at USC-ISI, HAPPY at SRI-KL,
To: HARDY at SRI-KL, IMPACT at SRI-KL, KLH at SRI-KL,
To: J33PAC at USC-ISI, HARRISON at SRI-KL, WALSH at SRI-KL,
To: DRCPM-FF at BBN-TENEXB, HART at AMES-67, HART at SRI-KL,
To: HATHAWAY at AMES-67, AFWL at I4-TENEX, BHR at RAND-UNIX,
To: RICK at RAND-UNIX, DEBE at USC-ISIB, HEARN at USC-ECL,
To: HEATH at UCLA-ATS, HEITMEYER at BBN-TENEX, ADTA at SRI-KA,
To: HENDRIX at SRI-KL, CH47M at BBN-TENEXB, HILLIER at SRI-KL,
To: HISS at I4-TENEX, ASLAB at USC-ISIC, HOLG at USC-ISIB,
To: HOLLINGWORTH at USC-ISIB, HOLLOWAY at HARV-10,
To: HOLMES at SRI-KL, HOLSWORTH at SRI-KA, HOLT at LLL-COMP,
To: HOLTHAM at LL, DHOLZMAN at RAND-UNIX, HOPPER at USC-ISIC,
To: HOROWITZ at USC-ISIB, VSC at USC-ISI, HOWARD at LLL-COMP,
To: HOWARD at USC-ISI, PURDUE at USC-ISI, HUBER at RAND-RCC,
To: HUNER at RADC-MULTICS, HUTSON at AMES-67, IMUS at USC-ISI,
To: JACOBS at USC-ISIE, JACOBS at BBN-TENEXB,
To: JACQUES at BBN-TENEXB, JARVIS at PARC-MAXC,
To: JEFFERS at PARC-MAXC, JENKINS at PARC-MAXC,
To: JENSEN at SRI-KA, JIRAK at SUMEX-AIM, NICKIE at SRI-KL,
To: JOHNSON at SUMEX-AIM, JONES at SRI-KL, JONES at LLL-COMP,
To: JONES at I4-TENEX, RLJ at MIT-MC, JURAK at USC-ECL,
To: KAHLER at SUMEX-AIM, MWK at SU-AI, KAINE at USC-ISIB,
To: KALTGRAD at UCLA-ATS, MARK at UCLA-SECURITY, RAK at SU-AI,
To: KASTNER at USC-ISIB, KATT at USC-ISIB,
To: UCLA-MNC at USC-ISI, ALAN at PARC-MAXC, KEENAN at USC-ISI,
To: KEHL at UCLA-CCN, KELLEY at SRI-KL, BANANA at I4-TENEX,
To: KELLOGG at USC-ISI, DDI at USC-ISI, KEMERY at SRI-KL,
To: KEMMERER at UCLA-ATS, PARVIZ at UCLA-ATS, KING at SUMEX-AIM,
To: KIRSTEIN at USC-ISI, SDC at UCLA-SECURITY,
To: KLEINROCK at USC-ISI, KLEMBA at SRI-KL, CSK at USC-ISI,
To: KNIGHT at SRI-KL, KNOX at USC-ISI, KODA at USC-ISIB,
To: KODANI at AMES-67, KOOIJ at USC-ISI, KREMERS at SRI-KL,
To: BELL at SRI-KL, KUNZELMAN at SRI-KL, PROJX at SRI-KL,
To: LAMPSON at PARC-MAXC, SDL at RAND-UNIX, JOJO at SRI-KL,
To: SDC at USC-ISI, NELC3030 at USC-ISI,
To: LEDERBERG at SUMEX-AIM, LEDUC at SRI-KL, JSLEE at USC-ECL,
To: JACOBS at USC-ISIE, WREN at USC-ISIB, LEMONS at USC-ISIB,
To: LEUNG at SRI-KL, J33PAC at USC-ISI, LEVIN at USC-ISIB,
To: LEVINTHAL at SUMEX-AIM, LICHTENBERGER at I4-TENEX,
To: LICHTENSTEIN at USC-ISI, LIDDLE at PARC-MAXC,
To: LIEB at USC-ISIB, LIEBERMAN at SRI-KL, STANL at USC-ISIE,
To: LIERE at I4-TENEX, DOCB at USC-ISIC, LINDSAY at SRI-KL,
To: LINEBARGER at AMES-67, LIPKIS at USC-ECL, SLES at USC-ISI,
To: LIS at SRI-KL, LONDON at USC-ISIB, J33PAC at USC-ISI,
To: LOPER at SRI-KA, LOUVIGNY at SRI-KL, LOVELACE at USC-ISIB,
To: LUCANIC at SRI-KL, LUCAS at USC-ISIB, DCL at SU-AI,
To: LUDLAM at UCLA-CCN, YNGVAR at SRI-KA, LYNCH at SRI-KL,
To: LYNN at USC-ISIB, MABREY at SRI-KL, MACKAY at AMES-67,
To: MADER at USC-ISIB, MAGILL at SRI-KL, KMAHONEY at BBN-TENEX,
To: MANN at USC-ISIB, ZM at SU-AI, MANNING at USC-ISI,
To: MANTIPLY at I4-TENEX, MARIN at I4-TENEX, SCRL at USC-ISI,
To: HARALD at SRI-KA, GLORIA-JEAN at UCLA-CCN, MARTIN at USC-ISIC,
To: WMARTIN at USC-ISI, GRM at RAND-UNIX, MASINTER at USC-ISI,
To: MASON at USC-ISIB, MATHIS at SRI-KL, MAYNARD at USC-ISIC,
To: MCBREARTY at SRI-KL, MCCALL at SRI-KA, MCCARTHY at SU-AI,
To: MCCLELLAND at USC-ISI, DORIS at RAND-UNIX, MCCLURG at SRI-KL,
To: JOHN at I4-TENEX, MCCREIGHT at PARC-MAXC, MCCRUMB at USC-ISI,
To: DRXTE at SRI-KA
cc: BPM at SU-AI
MCKINLEY@USC-ISIB
MMCM@SRI-KL
OT-ITS@SRI-KA
BELL@SRI-KL
MEADE@SRI-KL
MARTIN@USC-ISI
MERRILL@BBN-TENEX
METCALFE@PARC-MAXC
JMETZGER@USC-ISIB
MICHAEL@USC-ISIC
CMILLER@SUMEX-AIM
MILLER@USC-ISI
SCI@USC-ISI
MILLER@USC-ISIC
MITCHELL@PARC-MAXC
MITCHELL@USC-ISI
MITCHELL@SUMEX-AIM
MLM@SU-AI
JPDG@TENEXB
MOORE@USC-ISIB
WMORE@USC-ISIB
JAM@SU-AI
MORAN@PARC-MAXC
ROZ@SU-AI
MORGAN@USC-ISIB
MORRIS@PARC-MAXC
MORRIS@I4-TENEX
OT-ITS@SRI-KA
LISA@USC-ISIB
MOSHER@SRI-KL
MULHERN@USC-ISI
MUNTZ;BIN(1529)@UCLA-CCN
MYERS@USC-ISIC
MYERS@RAND-RCC
DRCPM-FF-FO@BBN-TENEXB
NAGEL@USC-ISIB
NAPKE@SRI-KL
NARDI@SRI-KL
NAYLOR@USC-ISIE
LOU@USC-ISIE
NESBIT@RAND-RCC
NEUMANN@SRI-KA
NEVATIA@USC-ECL
NEWBY@USC-ISI
NEWEKK@SRI-KA
NIELSON@SRI-KL
NLL@SUMEX-AIM
NILSSON@SRI-KL
NITZAN@SRI-KL
NOEL@USC-ISIC
NORMAN@PARC-MAXC
NORTON@SRI-KL
JOAN@USC-ISIB
NOURSE@SUMEX-AIM
PDG@SRI-KL
OMALLEY@SRI-KA
OCKEN@USC-ISIC
OESTREICHER@USC-ISIB
OGDEN@SRI-KA
OKINAKA@USC-ISIE
OLSON@I4-TENEX
ORNSTEIN@PARC-MAXC
PANKO@SRI-KL RANDALL@USC-ISIB ROTHENBERG@USC-ISIB
TED@SU-AI RANDALL@SRI-KA RUBIN@SRI-KL
PARK@SRI-KL RAPHAEL@SRI-KL JBR@SU-AI
PBARAN@USC-ISI RAPP@RAND-RCC RUBINSTEIN@BBN-TENEXD
PARKER@USC-ISIB RASMUSSEN@USC-ISIC RUDY@USC-ECL
PEARCE@USC-ISI RATTNER@SRI-KL RUGGERI@SRI-KA
PEPIN@USC-ECL RAY@ILL-NTX RULIFSON@PARC-MAXC
PERKINS@USC-ISIB FNWC@I4-TENEX DALE@USC-ISIB
PETERS@SRI-KL BRL@SRI-KL SACERDOTI@SRI-KL
AMPETERSON@USC-ISI RETZ@SRI-KL SAGALOWICZ@SRI-KL
ASLAB@USC-ISIC SKIP@USC-ISIB ALS@SU-AI
EPG-SPEC@SRI-KA RICHARDSON@USC-ISIB SANTONI@USC-ISIC
PEZDIRTZ@LLL-COMP RICHES@USC-ECL SATTERTHWAITE@PARC-MAXC
CHARLIE@I4-TENEX GWEN@USC-ECL SAWCHUK@USC-ECL
UCLA-DOC@USC-ISI OP-RIEDEL@USC-ISIB CPF-CC@USC-ISI
WPHILLIPS@USC-ISI RIES@LLL-COMP SCHELONKA@USC-ISI
PIERCY@MOFFETT-ARC RINDFLEISCH@SUMEX-AIM SCHILL@USC-ISIC
PINE@SRI-KL OP-ROBBINS@USC-ISIB SCHILLING@USC-ISI
PIPES@I4-TENEX ROBINSON@SRI-KL SCHULZ@SUMEX-AIM
PIRTLE@SRI-KL JROBINSON@SRI-KL SCOTT@SUMEX-AIM
POGGIO@USC-ISIC RODRIQUEZ@SRI-KL CPF-CC@USC-ISI
POH@USC-ISI MARTIN@USC-ISI OP-SEATON@USC-ISIB
POOL@BBN-TENEX ROM@USC-ISIC SENNE@LL
POPEK@USC-ISI ROMIEZ@I4-TENEX NORM@RAND-UNIX
POSTEL@USC-ISIB ROSE@USC-ISI AFWL@14-TENEX
POWER@SRI-KL ROSEN@SRI-KL SHEPPARD@LL-ASG
PRICE@USC-ECL BARBARA@I4-TENEX SHERWIN@USC-ISI
SHERWOOD@SRI-KL STEPHENS@SRI-KA TIPPIT@USC-ISIE
SHORT@SRI-KL CFD@I4-TENEX TOBAGI@USC-ISIE
SHORTLIFE@SUMEX-AIM STOCKHAM@SRI-KA TOGNETTI@SUMEX-AIM
SHOSHANI@BBN-TENEX STOTZ@USC-ISIB TORRES@SRI-KL
MARTIN@USC-ISI ALLEN@UCLA-SECURITY TOWNLEY@HARV-10
UCLA-NMC@USC-ISIE STOUTE@MIT-ML ELINA@UCLA-ATS
SDL@USC-ISIC STRADLING@SRI-KL TUCKER@SUMEX-AIM
SKOCYPEC@USC-ISI STROLLO@PARC-MAXC TUGENDER@USC-ISIB
SLES@USC-ISI UCLA-0638@UCLA-CCN LLLSRG@MIT-MC
SLOTTOW@UCLA-CCN CRT@SRI-KA UNCAPHER@USC-ISIB
NOAA@14-TENEX SUNSHINE@RAND-UNIX NOSC@SRI-KL
SMALL@USC-ISI SUTHERLAND@SRI-KL UNTULIS@SRI-KL
DAVESMITH@PARC-MAXC SUTHERLAND@RAND-UNIX MIKE@UCLA-SECURITY
DSMITH@RAND-UNIX SUTHERLAND@PARC-MAXC AARDVARK@UCLA-ATS
SMITH@SUMEX-AIM SUTTON@USC-ISIC UZGALIS;BIN(0836)@UCLA-CCN
SMITH@USC-ECL SWEER@SUMEX-AIM VANGOETHEM@UCLA-CCN
MARCIE@I4-TENEX TAFT@PARC-MAXC VANMIEROP@USC-ISIB
USARSGEUR@USC-ISI TAYLOR@USC-ISIB VANNOUHUYS@SRI-KL
LOGICON@USC-ISI TAYLOR@PARC-MAXC VEIZADES@SUMEX-AIM
EPA@SRI-KL TAYNAI@SUMEX-AIM VESECKY@USC-ISI
SONDEREGGER@USC-ISIB TEITELMAN@PARC-MAXC AV@MIT-DMS
SPEER@LL TENENBAUM@SRI-KL VICTOR@USC-ISIC
AMICON-RN@USC-ISI GREEP@RAND-UNIX VIDAL@UCLA-SECURITY
SPROULL@PARC-MAXC TERRY@SUMEX-AIM OP-VILAIN@USC-ISIB
PROJX@SRI-KL TESLER@PARC-MAXC RV@RAND-UNIX
STEF@SRI-KA THACKER@PARC-MAXC SDL@USC-ISIC
STEFIK@SUMEX-AIM PWT@RAND-UNIX VOLPE@SRI-KL
VONNEGUT@I4-TENEX WHITE@SUMEX-AIM
VU@SRI-KL WIEDERHOLD@SUMEX-AIM
WACTLAR@CMU-10A WILBER@SRI-KL
WAGNER@USC-ISI EPG-SPEC@SRI-KA
WAHRMAN@RAND-UNIX WILCOX@SUMEX-AIM
WALDINGER@SRI-KL WILCZYNSKI@USC-ISIB
WALKER@UCLA-SECURITY WILE@USC-ISIB
WALKER@SRI-KL OP-WILLIAMS@USC-ISIB
WALLACE@PARC-MAXC WILSON@USC-ISIB
EVE@UCLA-SECURITY TW@SU-AI
LOGICON@USC-ISI SCI@USC-ISI
DON@RAND-UNIX WISNIEWSKI@RAND-UNIX
WATSON@USC-ISIC WOLF@SRI-KL
WEIDEL@USC-ECL PAT@SU-AI
WEINBERG@SRI-KL NELC3030@USC-ISI
JLW@MIT-AI WYATT@HARV-10
LAUREN@UCLA-SECURITY LEO@USC-ISIB
WEISSMAN@I4-TENEX YEH@LLL-COMP
WELLS@USC-ISIC YONKE@USC-ISIB
GERSH@USC-ISI YOUNGBERG@SRI-KA
WETHEREL@LLL-COMP ZEGERS@SRI-KL
RWW@SU-AI ZOLOTOW@SRI-KL
SCRL@USC-ISI ZOSEL@LLL-COMP
TWHELLER@SRI-KA
MABREY@SRI-KL
WHITE@PARC-MAXC
DIGITAL WILL BE GIVING A PRODUCT PRESENTATION OF THE NEWEST MEMBERS OF THE
DECSYSTEM-20 FAMILY; THE DECSYSTEM-2020, 2020T, 2060, AND 2060T. THE
DECSYSTEM-20 FAMILY OF COMPUTERS HAS EVOLVED FROM THE TENEX OPERATING SYSTEM
AND THE DECSYSTEM-10 <PDP-10> COMPUTER ARCHITECTURE. BOTH THE DECSYSTEM-2060T
AND 2020T OFFER FULL ARPANET SUPPORT UNDER THE TOPS-20 OPERATING SYSTEM.
THE DECSYSTEM-2060 IS AN UPWARD EXTENSION OF THE CURRENT DECSYSTEM 2040
AND 2050 FAMILY. THE DECSYSTEM-2020 IS A NEW LOW END MEMBER OF THE
DECSYSTEM-20 FAMILY AND FULLY SOFTWARE COMPATIBLE WITH ALL OF THE OTHER
DECSYSTEM-20 MODELS.
WE INVITE YOU TO COME SEE THE 2020 AND HEAR ABOUT THE DECSYSTEM-20 FAMILY
AT THE TWO PRODUCT PRESENTATIONS WE WILL BE GIVING IN CALIFORNIA THIS
MONTH. THE LOCATIONS WILL BE:
TUESDAY, MAY 9, 1978 - 2 PM

HYATT HOUSE (NEAR THE L.A. AIRPORT)
LOS ANGELES, CA
THURSDAY, MAY 11, 1978 - 2 PM

DUNFEY'S ROYAL COACH
SAN MATEO, CA
(4 MILES SOUTH OF S.F. AIRPORT AT BAYSHORE, RT 101 AND RT 92)
A 2020 WILL BE THERE FOR YOU TO VIEW. ALSO TERMINALS ON-LINE TO OTHER
DECSYSTEM-20 SYSTEMS THROUGH THE ARPANET. IF YOU ARE UNABLE TO ATTEND,
PLEASE FEEL FREE TO CONTACT THE NEAREST DEC OFFICE
FOR MORE INFORMATION ABOUT THE EXCITING DECSYSTEM-20 FAMILY.
The First Anti-Spam
ON 2 MAY 78 DIGITAL EQUIPMENT CORPORATION (DEC) SENT OUT AN ARPANET
MESSAGE ADVERTISING THEIR NEW COMPUTER SYSTEMS. THIS WAS A FLAGRANT
VIOLATION OF THE USE OF ARPANET AS THE NETWORK IS TO BE USED FOR
OFFICIAL U.S. GOVERNMENT BUSINESS ONLY. APPROPRIATE ACTION IS BEING
TAKEN TO PRECLUDE ITS OCCURRENCE AGAIN.
IN ENFORCEMENT OF THIS POLICY DCA IS DEPENDENT ON THE ARPANET
SPONSORS, AND HOST AND TIP LIAISONS. IT IS IMPERATIVE YOU INFORM YOUR
USERS AND CONTRACTORS WHO ARE PROVIDED ARPANET ACCESS THE MEANING
OF THIS POLICY.
THANK YOU FOR YOUR COOPERATION.
MAJOR RAYMOND CZAHOR
CHIEF, ARPANET MANAGEMENT BRANCH, DCA
SMTP Design Specifics
Hop-by-hop
Store-and-forward
Always try to deliver!
7-bit ASCII
Implicit authentication
A Simple SMTP conversation
Connected to alln-mx-01.cisco.com.
Escape character is '^]’.
220 alln-inbound-a.cisco.com ESMTP
HELO rcub.bg.ac.rs
250 alln-inbound-a.cisco.com
MAIL FROM:<cupavi@rcub.bg.ac.rs>
250 sender <cupavi@rcub.bg.ac.rs> ok Envelope
{
RCPT TO:<dnovakov@cisco.com>
250 recipient <dnovakov@cisco.com> ok
DATA
354 go ahead {
Subject: The simplest email message
From: Dragan <cupavi@rcub.bg.ac.rs> Headers
To: Dragan Novakovic (dnovakov) <dnovakov@cisco.com>
Body
Just basic headers and a short body.
{
.
250 ok: Message 5395042 accepted
QUIT
221 alln-inbound-a.cisco.com
Connection closed by foreign host.
Routing Email: DNS MX Records
What Are MX Records?
• DNS RR defined in RFC5321
• Defines a mailhost – an SMTP gateway – for a zone (domain or FQDN)
• Also defines a preference value (“priority”)
– Lowest-numbered mail exchangers will be contacted first
– Mail exchangers with same preference values will be contacted round-robin
• Usually, spammers will contact the highest preference mail exchanger first
• DNS MX records provide
– Failover (different preference)
– (Good enough) load balancing (same preference)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
MX Examples
$ host -t mx cisco.com
cisco.com mail is handled by 10 alln-mx-01.cisco.com.
cisco.com mail is handled by 20 rcdn-mx-01.cisco.com.
cisco.com mail is handled by 30 aer-mx-01.cisco.com.
$ host -t mx yahoo.com
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
$ host -t mx mtv.com
mtv.com mail is handled by 10 mail.viacom.com.
mtv.com mail is handled by 50 mailw.viacom.com.
mtv.com mail is handled by 10 mail1.viacom.com.
Bounces: The Control Protocol of Email
What Are Bounces?
• Sender notifies recipient about different error conditions using bounces
• In essence, numeric error codes transmitted to the sender (and optionally some
text to accompany the error code)
• It is up to the recipient to take action on bounce
• Spambots usually lack capabilities to understand bounces
– Simple way for spammer detection
– Greylisting
• Bounce spam: rare but deadly
• Although it sounds compelling, bounces should never be
rejected/dropped/ignored
Bounces By Severity
Soft Bounces Hard Bounces
421 Please Try Again Later 500 No Such User
• Temporary errors • Permanent errors

• Sender will requeue • Sender will drop the
messages and try again later message and notify sending
• Default retry period: 4 hours person via email
Bounces By Origin
Inline (In-Conversation) Out-of-band (Delayed)
Bounces Bounces
MAIL FROM: <>
From: Mail Delivery Subsystem <MAILER-DAEMON@cisco.com>
To: <dnovakov@cisco.com>
220 alln-inbound-i.cisco.com ESMTP Subject: Returned mail: see transcript for details
EHLO rcub.bg.ac.rs
The original message was received at Wed, 19 Nov 2014
250-alln-inbound-i.cisco.com
08:42:04 -0600
250-8BITMIME from localhost.localdomain [127.0.0.1]
250-SIZE 33554432
250 STARTTLS ----The following addresses had permanent fatal errors ----
MAIL FROM: provocateur@internet.org -
<asdfg@cisco.com>
250 sender <provocateur@internet.org> ok
(reason: 550 5.1.1 <asdfg@cisco.com>... User unknown)
RCPT TO: ren.zhengfei@huawei.com
550 #5.1.0 Address rejected. ----- Transcript of session follows -----
... while talking to outbound.cisco.com.:
DATA
<<< 550 5.1.1 <asdfg@cisco.com>... User unknown
550 5.1.1 <asdfg@cisco.com>... User unknown
Examples of Bounces
To: <dnovakov@cisco.com>
From: Mail Delivery System <MAILER-DAEMON@rcdn-
iport-2.cisco.com> 220 mx1.hc4-93.c3s2.smtpi.com ESMTP
Subject: Delivery Status Notification (Failure) EHLO rcub.rs
250-mx1.hc4-93.c3s2.smtpi.com
The following message to <mshademan@hr- 250-8BITMIME
communication.com> was undeliverable. 250-SIZE 10485760
250 STARTTLS
The reason for the problem: MAIL FROM: cupavi@rcub.bg.ac.rs
250 sender <cupavi@rcub.bg.ac.rs> ok
5.4.7 - Delivery expired (message too old) RCPT TO: dnovakov@cisco.com
'timeout’ 452 Too many recipients received this hour
Examples of Bounces
220 mx1.hc4-93.c3s2.smtpi.com ESMTP To: <dnovakov@cisco.com>

ehlo bla From: Mail Delivery System <MAILER-DAEMON@rcdn-iport-
6.cisco.com>
250-mx1.hc4-93.c3s2.smtpi.com
Subject: Delivery Status Notification (Failure)
250-8BITMIME
250-SIZE 10485760 The following message to
250 STARTTLS <Basheer/Bahrain/GBM/NBR@d06ml300.ports.uk.ibm.com> was
mail from: spammer@spamspam.spam undeliverable.
The reason for the problem:
250 sender <spammer@spamspam.spam> ok
5.1.2 - Bad destination host 'DNS Hard Error looking up
RCPT TO: cupavi@ibm.com d06ml300.portsmouth.uk.ibm.com (MX): NXDomain'
550 #5.7.1 Your access to submit messages to
this e-mail system has been rejected.
The Danger of Bounces
• Bounce messages may be used to deliver spam
• Don’t fall for bounce phishing messages – bounces are a notification mechanism,
never asking for action!
• Spambots cause bounce spam with misdirected bounces
• Backscatter attack – the most profitable Email DDoS
1. Hire a botnet
2. Spoof millions of messages to non-existent recipients claiming to come from DDoS target
3. Watch their Email systems go down under the flood of bounce messages from all over the
Internet
• Effective countermeasures from all bounce-based dangers: SPF, DMARC and
BATV (all supported by Cisco Email Security Appliance and Cloud Email Security!)
MIME: Sending Rich Content using 7-bit
ASCII
What Is MIME?
• Multipurpose Internet Mail Extensions, defined in RFC2045-2049
• Methods to encode rich content to be transferred over 7-bit protocol (SMTP)
• Further development added support for specific content type encoding for
encrypted and signed data
• Later on, widely used in other Internet technologies: HTTP, FTP, generic data
encoding (“mime types”)
Anatomy of An Email Message
Curt@hotmail.com
Craig Johnson
Some
Some Craig Johnson
headers
headers
Craig Johnson <Craig@mailbox.com>
Curt Von <Curt@hotmail.com>

AAtext
text
message
message
(in
(inHTML)
HTML)
AAbinary
binary
attachment
attachment
(displayed
(displayed Craig
CraigJohnson cvc
Johnson.vcf
inline)
inline) AAcouple
coupleof
of
attachments
attachments
36
Anatomy of An Email Message (2)
From: Craig Johnson<Craig@mailbox.com>
Subject: Here is that jpeg
To: Curt Von <curt@hotmail.com>
MIME-version: 1.0 MIME multipart/mixed + Boundary_11111
Content-type: multipart/mixed; boundary="Boundary_11111"
This is a multi-part message in MIME format.

Preamble
--Boundary_11111
Content-type: multipart/alternative; MIME multipart/alternative + Boundary_22222
boundary="Boundary_22222"
--Boundary_22222
Content-type: text/plain; format=flowed; charset=us-ascii
Content-transfer-encoding: 7bit
Please let me know when you get this!

Alternative Text Part
--Boundary_22222
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html> Alternative HTML Part
...
</html>
Closing multipart/alternative (Boundary_22222)
--Boundary_22222--
Next container boundary
--Boundary_11111
Anatomy of An Email Message
Content-type: image/jpeg; name=AV-Options.jpg
Content-transfer-encoding: base64
Content-disposition: inline;
Inline displayed image
filename=Antivirus-Options.jpg
/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9k=
--Boundary_11111
Content-type: text/plain; CHARSET=us-ascii; name="Craig Johnson.vcf"
Content-transfer-encoding: 7bit Text/plain vcard attachment
Content-disposition: inline; filename="Craig Johnson.vcf"
BEGIN:VCARD
VERSION:3.0
N:Johnson;Craig;;;
...
END:VCARD
--Boundary_11111-- Closing Boundary_11111
Email Security Architecture
Flexible Deployment and Software subscription Options
On Premises Cloud
Deployment
Options
Appliance Virtual Hybrid Hybrid Cloud Managed
1, 3, 5 years – starting at 100 mailboxes monthly, quarterly, annual – starting at 100 mailboxes
Software Subscription Bundles

INBOUND OUTBOUND
Antivirus/Anti-spam Outbreak Filter DLP Encryption
PREMIUM = INBOUND + OUTBOUND
A La Carte Software
AMP, Graymail Safe-Unsubscribe, Image Analyzer, McAfee AV, Intelligent
Multi-Scan, ZIX
Email Terms and Flow
• You send an email to a customer… how does it get there?
MTA Relay
DNS sends it to
Type and the server
send email
Internet
Groupware
LDAP Server
Groupware Processes it
Server
Processes it
• Groupware? SMTP? Customer
Relay if
MTA Relay • Relay? LDAP? receives it
sends it to
external
the customer
• MTA? DNS?
Where does all of this live?

Email Architecture Overview
LDAP
Server
Groupware
Server
Internet
ASA
Firewall
IPS
Cisco SMA – Ironport M Series
MTA Relay
Cisco WSA – IronPort S Series Cisco ESA - IronPort C Series
Internal Network DMZ

Traffic Flow Considerations
Email is simple. We want to be the:
§ First Hop In
§ Last Hop Out
Traffic flow and installation connectivity will depend on the customer’s

security policy needs.
Create an A record that maps the appliance’s hostname to its IP address, and
MX record that maps your public domain to the appliance’s hostname.
Specify a priority for the MX record to advertise the Email Security appliance
as either a primary or backup MTA for your domain.
Appliance Design
Protected Public Interface
§ Public interface protected by firewall

Internet
§ Can filter inbound and outbound ESA traffic
§ No inside interface filtering
§ Works well in smaller accounts
Outside
interface § Unprotected inside interface can cause heartburn
Inside
interface
with security teams
Mail Server
Appliance Design
Dual DMZ Interfaces Best
Practice
§ Both interfaces are protected by the firewall

Internet §Traffic can be buffered during an interface failure or NIC
pairing can be applied
Outside
§ Can filter and control traffic to/from the internet and
interface
to/from the internal network
Inside
interface
§ Offers protection of all resources
§ Firewall represents a possible single point of failure or
bottleneck
Mail Server
Appliance Design
Single Interface Best
Practice
§ System protected by firewall

Internet
§ Simplifies firewall configuration for passing traffic
§ Single interface represents a “possible” traffic
bottleneck
§ Preferred and THE most common method of
installation for customers
Mail Server
Appliance Design
Large DMZ with Dual Firewalls Best
Practice
§ System is well protected

Internet
§ Traffic can be buffered during an interface failure
§ Configure redundant firewalls for maximum uptime
Outside
interface and to reduce single points of failure
Inside
interface
Mail Server
Separate Management Network Best
Practice
§ Meets the most stringent customer connectivity needs

Internet § Requires a larger appliance with 3 interfaces
§ Can be done in multi-firewall DMZ or with a single
Outside interface installation
interface
§ Use the route command on CLI to configure traffic
Inside
interface
flows for the 3rd interface
Management
Network Link
Mail Server
Multiple MX Records
• The easiest and most common way to do redundancy
• Relies on the robust nature of communications on the internet.
• If one server cannot be contacted, fail over to the next on the list.
company.com MX preference = 10, mail exchanger = west.mail.company.com
company.com MX preference = 10, mail exchanger = east.mail.company.com
Internet
west.mail.company.com east.mail.company.com
West Coast
East Coast
Mail Server
Mail Server
High Availability
§ Use larger appliances with RAID Arrays and redundant
Internet
power supplies
§ Configure NIC teaming to help protect against network
failures
§ Use multiple appliances and MX records
L4-7 Switch
§ Appliances can be load balanced with VIPs on a L4-7 switch
Mail Server
Clustering Appliances (Centralized Management)
• Manage a group of ESAs by making changes to one
• No Extra servers or software
• Configuration changes on one machine pushed to the other
• Can cluster up to 20 machines
• Centralized reports, message tracking and quarantining on M-Series
Internet
Cluster
West Coast East Coast

Mail Server Mail Server
The Email Pipeline
Mapping Features to Protection
Sender Connection CASE Anti-Virus File File Graymail Content Outbreak
Reputation Control (AS,GM,OF) (Sophos, McAfee) Reputation Analysis Detection Filtering Filtering
Throttling, Over 300 Control 9-12 hr lead

80-90% Multi-Verdict Block 100% of SHA based file Business and
DHAP, SPF, Behavioral marketing, time on
Block Rate scanning known viruses blocking Security Rules
DKIM, DMARC Indicators social and bulk Outbreaks
Connection Filters Spam Filter Anti-Malware Defense Marketing Filter Rules 0-day Malware
Spoof Detection URL Analysis Advanced Malware Protection (AMP) Anti-Phishing and URL Analysis
Post-Delivery Analysis & Interaction
File Data Loss Envelope Safe Web AMP Mailbox Auto

CASE Anti-Virus
Reputation Unsubscribe Remediation
(AS,GM,OF) (Sophos, McAfee) Prevention Encryption Interaction Retrospection
& Analysis
Over 300 Delete or

Outbound Block 100% of Over 140 pre- Push Based Perform unsub Track User Alerts on File
Behavioral Forward from
Spam Filters known viruses built filters Encryption for users clicks Disposition
Indicators O365
Outbound Threat Filters Outbound Data Protection Marketing URL Analysis Advanced Malware Protection (AMP)
Anti-Malware Defense
Filtering In The Email Pipeline
SMTP SERVER WORKQUEUE SMTP CLIENT
Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption
Received Header Masquerading (Table / LDAP) Virtual Gateways
Default Domain LDAP Routing Delivery Limits
Domain Map Message Filters Received: Header
Recipient Access Table (RAT) Anti-Spam Domain-Based Limits
Alias Table Anti-Virus Domain-Based Routing
Per-Policy Scanning
LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe
SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption
DKIM / SPF Verification Content Filtering DKIM Signing
DMARC Verification Outbreak Filtering Bounce Profiles
S/MIME Verification DLP Filtering (Outbound) Message Delivery
SMTP Server SMTP SERVER
Host Access Table (HAT)

• Handling the SMTP Conversation and queuing
of messages Received Header
Default Domain
• First line of defense against attacks
Domain Map
• Focus on HAT, RAT, LDAP, DKIM, SPF and Recipient Access Table (RAT)
DMARC
Alias Table
LDAP RCPT Accept
SMTP Call-Ahead
DKIM / SPF Verification
DMARC Verification
S/MIME Verification
The Workqueue WORKQUEUE
LDAP RCPT Accept (WQ)

• The workqueue is where the security inspection Masquerading (Table / LDAP)
happens on the ESA
LDAP Routing
• Each of the steps here are important to determine the
Message Filters
threat and who gets a message
Anti-Spam
• Message Splintering, filtering and threat protection are
Anti-Virus
detailed next
Per-Policy Scanning
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
Processing Incoming Mail (Work Queue)
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS CONTENT
FILTERS OUTBREAK
FILTERS
ASYNCOS EMAIL PLATFORM
Filtering of
External Threats
Processing Outgoing Mail (Work Queue)
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT
FILTERS OUTBREAK
FILTERS DLP
OFF Engine
ASYNCOS EMAIL PLATFORM
Enforcing Corporate
Compliance
Per Policy Scanning
• Use policies to leverage message splintering to apply rule and scanning as required
• Top down / first match wins, order is very important
62
63
SMTP Client flow SMTP CLIENT
Encryption
• SMTP Client is responsible for message Virtual Gateways
stamping and delivery Delivery Limits
• Controlling delivery is important to ensure Received: Header
reputation on internet is maintained Domain-Based Limits
• Queueing and bounce controls are handled Domain-Based Routing

during the client phase Global Unsubscribe
S/MIME Encryption
DKIM Signing
Bounce Profiles
Message Delivery
Cisco Email Security Integration with Threat Intelligence
Built on Outstanding Collective Security Analytics from Cisco Talos
Cisco
100I II0I III00II 0II00II I0I000 0II0 00
I00I III0I III00II 0II00II I0I000 0110 00
Sourcefire, Cognitve,
Cisco10I000
®
101000 0II0 00 0III000 III0I00II II II0000I II0
0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 Talos
101000 0110 00 OpenDNS, ThreatGrid
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
WWW
§ 180,000+ File Samples per
Email Endpoints Web Networks IPS Devices
Day
1.6 million 35% § Cisco® AMP Community
global sensors worldwide email § Advanced Microsoft
traffic
and Industry Disclosures
100 TB § Snort and ClamAV Open
of data received per 13 billion
day web requests Source Communities
§ Honeypots
150 million+ § Sourcefire AEGIS™
24x7x365 Cisco ESA
deployed endpoints
operations
Program
§ Private and Public Threat
600+ Feeds
engineers, technicians,
40+
and researchers languages § Dynamic Analysis
Understanding Email Reputation
• Breadth and quality of
Complaint IP Blacklists Geo-Location data makes the
Spam Traps
Reports and Whitelists data difference
• Real-time insight into

Message Website this data that allows us
Compromised
Composition Composition Host Data to see threats before
Host Lists
Data Data anyone else in the
industry to protect our
customers
Domain
Global Volume
Blacklist and Other Data DNS Data
Data
Safelists
IP Reputation Score
-10 0 +10
Email Reputation Efficiency
Threat Intelligence
§ Over 1.6 million global devices
§ Historical library of 40,000 threats
§ 35% of global email traffic seen per day
§ 13 billion+ worldwide web requests seen per
day
§ 200+ parameters tracked
§ Multivector visibility
Benefits
§ Automated updates delivered to Cisco security
devices every 3–5 minutes
§ 8M+ Rules per day
§ Understanding of vulnerabilities and exploit

technologies IP Reputation Score
-10 0 +10
§ Visibility into highest threat vehicles
§ Latest attack trends and techniques © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is Telemetry important
• Provides Talos insight on targeted attacks
• Hidden CLI command to give more details to Talos - "fullsenderbaseconfig"
What is sent to Talos?
Item Sample Data
Message count at various stages within the appliance Seen by Anti-Virus engine: 100
Seen by Anti-Spam engine: 80
Sum of Anti-Spam and Anti-Virus scores and verdicts 2,000 (sum of anti-spam scores for all messages seen)
Number of messages hitting different Anti-Spam and Anti-Virus rule 100 messages hit rules A and B
When enabled, the Context

combinations 50 messages hit rule A only
• Number of Connections 20 SMTP Connections
Adaptive Scanning Engine (CASE) Number of Total and Invalid Recipients 50 total recipients
10 invalid recipients
is used to collect and report the

Hashed Filename(s): (a) A file <one-way-hash>.pif was found
inside an archive attachment called
<one-way-hash>.zip.
data (regardless of whether or not Obfuscated Filename(s): (b)

URL Hostname (c)
A file aaaaaaa0.aaa.pif was found inside a file aaaaaaa.zip.
There was a link found inside a message to www.domain.com
Cisco anti-spam scanning is Obfuscated URL Path (d) There was a link found inside a message to hostname www.domain.com, and
had path aaa000aa/aa00aaa.
enabled) Number of Messages by Spam and Virus Scanning Results 10 Spam Positive
10 Spam Negative
5 Spam Suspect
4 Virus Positive
16 Virus Negative
• The data is summarized information Number of messages by different Anti-Spam and Anti-Virus verdicts
5 Virus Unscannable
500 spam, 300 ham
on message attributes and Count of Messages in Size Ranges 125 in 30K-35K range
information on how different types Count of different extension types

Correlation of attachment types, true file type, and container type
300 “.exe” attachments
100 attachments that have a “.doc” extension but are actually “.exe”
of messages were handled by Correlation of extension and true file type with attachment size
50 attachments are “.exe” extensions within a zip
30 attachments were “.exe” within the 50-55K range
Cisco appliances. We do not collect Number of attached files uploaded to the file reputation service (AMP
cloud)
1110 files were uploaded to the file reputation service
the full body of the message Verdicts on files uploaded to the file reputation service (AMP cloud) 10 files were found to be malicious
100 files were found to be clean
1000 files were unknown to the reputation service
Reputation score of files uploaded to the file reputation service (AMP 50 files had a reputation score of 37
cloud) 50 files had a reputation score of 57
1 file had a reputation score of 61
9 files had a reputation score of 99
Names of files uploaded to the file reputation service (AMP cloud) example.pdf
testfile.doc
Names of malware threats detected by the file reputation service (AMP Trojan-Test
cloud)
What is Reputation Security?
• Reputation Security delivers a numeric score about an object, which allows a
security device to take a policy-based action.
• Reputation is built on three things:
• Our own assessment (e.g., using TALOS data)
• Assessment by trusted 3rd parties
• Sophisticated models that produce a score in real-time
Cisco Talos
IP Address Reputation
23.24.19.29 -3
-10 -5 0 +5 +10
Black List Suspect Unknown
Host Access Table Structure
• HATs are associated per listener, defined as being Public or Private. Once a listener is defined they
cannot be changed.
• IPs and Hosts are evaluated in the HAT Top Down, First Match
• SenderGroups are containers that define the policy based on match
• Inclusion into a SenderGroup is defined by Reputation Score, DNS, or explicit match
SenderGroup Options
• SenderBase score can be attached to the
SenderGroups, ensure that the neutral
and no score ranges are addressed
• Within the settings you define the Name,
Mail Flow Policy
• Nomenclature is important as it will be
displayed in logs and reports
• SBRS scores can be assigned to the
group
• RBLs can be leveraged if required.
Thu Jun 9 13:40:34 2016 Info: New SMTP ICID 8 interface Management (10.10.10.90) address 94.46.249.12
Thu Jun 9 13:40:34 2016 Info: ICID 8 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -2.1
Thu Jun 9 13:40:34 2016 Info: Start MID 410 ICID 8
Customizing Reputation on the ESA
Default Settings: Moderate Blocking
• Reputation Score determined

when connection initiated
Custom Settings: Aggressive Throttling
• Sender Groups and actions are
defined by the administrator
• Reputation can block 80-90%
connections on the ESA
Separating Non-Business Critical Mail
11.0
New in
• By explicitly adding hosts, IPs and Countries to a SenderGroup we can force desired
connection behavior
• Idea here is to limit the attack surface by throttling or blocking non critical emails
MailFlow policies: Host vs Sender Throttling
• By default the only MFP that
has any Host limiting is the
throttle policy
• By default, there are no
Envelope Sender Limits set on
the ESA
• It is recommended to use
Sender Limits in suspect
ranges
MailFlow policies: Security Settings
• DHAP is set high on the ESA, recommend to tune it to be lower on suspect
ranges
• SMTP Call-Ahead and LDAP enhances DHAP by performing rejection in
conservation
MailFlow policies: Security Settings
• TLS Settings are not by default for incoming or outgoing mail
• Three levels of checking, preferred can be set on the default mail flow policy
• Mandatory can be setup as a list or as it’s own SenderGroup
Reputation + Sender Groups + Mail Flow Policies
Check Access Mail Flow
Concurrent Connection Reputation Query SBRS to HAT Mapping
START TCP_REFUSE -> REJECT Policy
Limit Check
Host Access
RAT
HELO \ Concurrent Connection Check Access
Reputation Query SBRS to HAT Mapping TCP_REFUSE -> REJECT
EHLO Limit Check
MAIL Max Messages per Envelope Sender

FROM TLS / SMTPAUTH
connection verification
RCPT Rate Limiting

TO Delayed Reject RAT Check (max recipients per hr, etc)
Accept and
DMARC mark values for
DATA SPF Check DKIM Data Size, Subject size
AS, AV,
S/MIME
Sample HAT Worksheet
• Sample Host Access
Table and Mail Flow
policy sheet to help
create a layout /
strategy for connection
control
• Pre-populated with
sample values, modify
as you see fit
https://cisco.box.com/s/vd7d2p7i8k61v9zzc6k3gv7v7e8vj0zn
Per Policy Scanning
• Top down / first match wins, order is very important
Policy Match Conditions
• Complex conditions inside a policy using
AND/OR/NOT
• Multiple conditions can be used inside the
same policy
• Move your logic from the filter into the policy
and reduce resource consumption
• After upgrading to 10.0 , when you match a
message to a mail policy, the envelope sender
and the envelope recipient have a higher
priority over the sender header.
Policy Engine And Splintering
• If a single message matches multiple policies, it will be splintered
• Splintering only occurs if multiple policies are matched
MAIL FROM: bob@domain.com
RCPT TO: joe@remote.org MAIL FROM: bob@domain.com
RCPT TO: joe@remote.org
WORKQUEUE
SMTP CLIENT
Anti-Spam
Encryption
Anti-Virus Virtual Gateways
Per-Policy Scanning
MAIL FROM: bob@domain.com RCPT TO: jane@remote.org Advanced Malware (AMP) Delivery Limits
Graymail, Safe Unsubscribe Received: Header
RCPT TO: jane@remote.org
WORKQUEUE Content Filtering Domain-Based Limits
SMTP SERVER Outbreak Filtering

Domain-Based Routing
…
LDAP RCPT Accept (WQ) DLP Filtering (Outbound)

Masquerading (Table / LDAP) MAIL FROM: bob@domain.com
Recipient Access Table (RAT) RCPT TO: jane@remote.org MAIL FROM: bob@domain.com
LDAP Routing WORKQUEUE
SMTP CLIENT
… Anti-Spam Encryption
Anti-Virus
Message Filters Virtual Gateways
Per-Policy Scanning
Advanced Malware (AMP) Delivery Limits
Content Filtering Domain-Based Limits
Outbreak Filtering
…
Using Policies vs Dictionaries
• Customers often use
Dictionaries to match senders /
recipients for BlockLists / Allow
Lists
• By applying a block via content
filter + dictionary causes all
messages to be scanned, thus
using more resources
• Using Policies to splinter and
apply actions quickly
Cisco ESA Antispam
Understanding CASE
• CASE stands for Context Adaptive Scanning
Engine
• CASE is the combination of the Anti-Spam, IPAS Interim Verdict Final Verdict
Graymail and Outbreak engines
• Each engine can provide a verdict and
depending on the action of the engine will
CASE
either pass or drop the message GrayMail Interim Verdict
• A non-final action (i.e Quarantine) will allow a

message to continue to process down the
workqueue. Threat
Outbreak Interim Verdict
• A final action such as drop will cause an Filtering
“early exit” condition
• Other scanning blades may take precedence
if another engine determines a positive
condition
Antispam Processing
Defense in Depth
Cisco
Intelligent multiscan (IMS) Anti-
spam
Engine
Cisco
Anti-
What spam
Anti-
spam
Engine B
Engine
Anti-
spam
When
SBRS Who
Cisco
Engine
(Future)
Anti-Spam
Powered by Mail Policies
Cisco® § Normal mail is
Where How
spam filtered
Incoming mail § Suspicious emails
good, bad, and are rate limited and
unknown email spam filtered
Whitelist is spam filtered
Known bad email is § URL reputation and context

blocked before used in scoring
entering the network § > 99% catch rate
§ < 1 in 1 million false positives
Spam Analysis by CASE
HOW?
•Message leaves trace of
spamware tool WHO?
WHAT?
• IP address recently
started sending email
• All text inside an image • Message originated
• Random dots appear from dial-up IP address
within the message • Sending IP address
• Nearly identical color located in regions known
scheme in 100,000s for attack.
spamtrap msgs
WHERE?
WWW.FASTMONEY.COM
Verdict
Positive Spam >90

Suspect Spam >50
Clean Message < = 49
Anti-Spam Scanning
• You can adjust the thresholds
for Suspect / Positive spam to
increase or decrease sensitivity
• Don’t do it, unless you really
have to
• As we tune spam rules, we use
the default thresholds as a
baseline, so this may result in
undesired results
Enable and Tune CASE engines
Enable Antispam – and if possible (based on

hardware) increase scanning thresholds to 1M for
always scan, 2M for never to scan more
Enable Graymail – it’s a free engine which helps

with Anti-Spam efficacy. Introduced in 9.5 so
upgrade!
Enable Threat Outbreak Filters – and if possible

(based on hardware) increase scan size to 1M
Why scan size matters
• Chart from Talos shows the volume
of spam in large message sizes is
small compared to spam overall
• Most spam is actually quite small
• However, by not increasing scan
size you could be giving larger
spam a free pass
• Majority of spam captured in the
512KB and 896KB region, capture
plateaus around 1.3MB
Graymail - Marketing Message Detection
EDITOR'S CORNER
Securing The Web Anticipation
Gateway In The World Of

Big changes are happening at
Websense, and as a loyal subscriber
Web 2.0
to our newsletter,
WebsenseConnect, I want to share
Does Web 2.0 have legitimate business applications? If so, how can business the news with you first. Think you
take advantage of its unique capabilities? In this Q&A, Gene Hodges, CEO of know Websense? If you've been a
Websense, shares his insights on the risks, rewards, and future of Web 2.0 and Websense (or SurfControl) customer
the secure Web gateway. for years, be prepared for a big
MOREsurprise—we are way more than
BUSINESS FOCUS APPLICATION FOCUS
Web security.
Business Blogs, Vapid Web 2.0 Ready for MORE
or Vital? Prime Time? QUICK LINKS
PRODUCT TIP OF THE MONTH
With 40,000 new blogs cropping up Web 2.0 makes many promises, but
CUSTOMER TRAINING
every day, it begs the question—is there managers are stumped about how to use EVENTS
a business benefit to blogging? And with it to drive growth and profits. With SUPPORT
the blogosphere already inconceivably companies like Google, IBM, and Adobe WEBSENSE NEWS
immense, how can one company stand creating software for commercial use ofSUCCESS STORY
out? Learn how enterprises such as Furniture Seller
Web 2.0, businesses are poised to make
General Motors have made their mark, the leap. Learn more about the new Tables Threats
and how you can too, in this applications and how your business can
Furniture retailer WS Badcock
BusinessWeek story about social media get up to speed in this ChannelWeb Corporation is taking aggressive
and business. review. measures against emerging Internet
MORE MORE
threats. Awarethat current attacks
LATEST NEWS
are focused on secretly stealing
OLYMPIANS CONNECT WI TH FANS THROUGH BLOGS
information rather than the highly
visible and public "bring down the
ACQUISITION HELPS READY INTERNET SECURI TY SOFTWARE FIRM FOR WEB 2.0 network" attacks, the company
selected Websense Email Security
THE 2008 SUMMER OLYMPICS: THE MOST DIGITAL OF ALL because of its ability to stop spam
and viruses and prevent confidential
information from leaving the
MANAGING ACCESS TO FACEBOOK: A GOOD IDEA?
organization through email.
Privacy Policy
At Buy.com, your
privacy is a top priority.
Please read our privacy
policy details.
…
X All information collected
from you will be shared
with Buy.com and its
affiliate companies.
§ Not Spam, because of tacit opt-in and working opt-out
Graymail management
Quarantine
Threat Defense Security Graymail Detection • Whitelist – Allow Sender
• Blacklist – Block Sender
• Release – Safe unsubscribe
Add Safe Unsubscribe Link

Verdict
Reputation Anti-virus Social

Filter Bulk Marketing Request
Network
Advanced
Anti-spam Malware
Block
Protection
Enable Graymail Scanning
• Graymail has 2 components:

Detection and Unsubscribe
• Graymail Detection is included
• It comes as part of the base email
subscription license
• The graymail engine will provide
verdicts to IPAS (final decision),
which leads to a better overall email
efficacy
Graymail monitoring
• Separate categories for:

• Marketing
• Social Networking
• Bulk messages
Using Graymail and Outlook Junk Folders
• 2 steps: Mark x-header in Graymail, Filter in Exchange to set the SCL value
Graymail Unsubscribe
• Graymail Unsubscribe is an additional
license
• It provides protection against malicious
threats masquerading as unsubscribe
links
• A uniform interface for all subscription
management to end-users
• Better visibility to the email
administrators and end-users into such
emails
Graymail Unsubscribe
• Malware agents using
Unsubscribe to deliver
payload
• Add-on license to ESA

provides unsubscribe
detection and validation
End User Experience
Click-time check
End-user clicks of the rewritten Cisco executes
on the rewritten link. If found un-subscription
unsubscription safe redirect to on behalf of the
link in the banner Un-Subscribe end-user
service
Cisco ESA Anti-Virus
Anti-Virus Overview
§ IronPort supports multiple anti-virus engines
§ Choose to enable Sophos and/or McAfee anti-virus engines to scan for virus in
the work queue
§ Sophos and McAfee Anti-Virus provide a virus detection engine that scans files
for viruses, Trojan horses, and worms.
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS CONTENT
FILTERS OUTBREAK
FILTERS
ASYNCOS™ MTA PLATFORM
Block known viruses
• Sophos comes bundled with the licenses, enable and

block known viruses
• Encrypted => Password Protected, Signed
• Unscannable => Too large to scan, malformed
• Do you still repair? Most customers today do not have
the repair option enabled for virus infected messages.
• 10.0.1 introduces new Sophos CxMail engine
Configuring Anti-Virus Behavior on a Mail Policy
• Mail Policies > Incoming Mail Policies > AV link in Mail Policy
Click link to edit policy
Configuring Anti-Virus Settings Page
Mail Policies > Incoming Mail Policies > AV link in Mail Policy
Enable AV for Mail Policy

Choose scan
behavior when a
virus is found –
Scan, or
Scan and Repair
When attachments are

dropped, the rest is delivered –
usually producing spam of
another sort
Configuring Anti-Virus Settings Page (cont’d)
For both Encrypted

and Unscannable,
you can’t be sure
the message is
clean
Advanced
settings let you
provide custom
headers for mail
agents to sort on,
or redirect a
message
Advanced Malware Protection (AMP)
Enabling AMP
• AMP is an additional license on the ESA and CES

• 4 components to AMP:
• File Reputation
• File Analysis
• File Retrospection
• Mailbox Auto Remediation (v10+)
How AMP works
File Reputation
File Reputation Query

AMP Connector AMP Cloud Retrospective
Retrospective Heartbeat
pull of
Local Cache
malicious
SBRS emails via API
Disposition Query
CASE Update the Cache with
call to O365
AV Pre-Classification disposition value
AMP feedback
loop only for
Sandbox connector Qualified File, upload Malicious
for Sandboxing Files
O365
Email Security Appliance / VM / Cloud
Local AV Scanners
Mailbox Auto
TG Pre-
Class
Cisco TG Remediation
Sandboxing
File Analysis
AMP File Analysis – Check your file types and settings!
AMP File Analysis – 11.1 increases file types
• 11.1 provides parity with

ThreatGrid file support
• New Pre-Classification
engine allows for additional
file types to be supported for
Analysis
• Pre-classification in the cloud
allows for greater intelligence
on files to be gathered
• Must be enabled after
upgrade
AMP Dynamic Quarantine
• Use the quarantine to delay files and wait for

analysis results
• Typically file results are returned in under 10
minutes, default setting is to wait up to 1 hr
before releasing
AMP Retrospection Alerts
2 styles of alerts now generated by AMP for retrospective events:
Change in disposition, message not delivered Change in disposition and message delivered
The Info message is: The Info message is:
Retrospective verdict received. Retrospective verdict received for NEW SAMPLE ORDER 1.doc.
SHA256: 7c48eb3b1fea5705fc70539f2a0539a3be794d6b70408a31c9ea461855657cd0
SHA256: ce49d65659304dcb7ae63182e17aa4b6f09740caaf77f1565a682bd2bb4e2bf4
Timestamp: 2016-09-19T19:39:13Z
Verdict: MALICIOUS Timestamp: 2016-09-19T19:39:12Z
Reputation Score: 0 Verdict: MALICIOUS
Spyname: W32.Auto:7c48eb3b1f.in05.Talos Reputation Score: 0
Spyname: RTF.CE49D65659.agent.tht.Talos
Version: 10.0.0-124
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Total users affected: 1
Timestamp: 19 Sep 2016 14:39:13 -0500
----------- Affected Messages ---------------
Message 1
MID : 20045
Subject : Sample Pictures and Letter of Intent as shown on attached files (3)
From : alfredo@comerquim.com.ec
Bcc : LAURA.LEWIS@somecustomername.com
Suppress non- File name : NEW SAMPLE ORDER 1.doc
delivered retro Parent SHA256 : ,
alerts in 11.1 Parent File name : ,
Date : 2016-09-19T05:35:48Z
---------------------------------------------------
Mailbox Auto Remediation
PIF PIF
1. Attachments are analyzed for
2
Malicious content
2. An attachment disposition is
XLS XLS
DOC EXE DOC EXE DOC
SCR Cisco Email Security SCR

unknown and released to the end
PDF PDF user
1 3 4 x
DOC
3. A retrospective event occurs and
the file is now deemed malicious
4. An automated API call is made to
Azure and the message can be
forwarded or deleted from the end
users inbox
Cisco ThreatGrid
Configuration of Mailbox Remediation
Step 1: Create Azure Web Application in your tenant Step 2: Link Application to ESAs / CES
Step 3: Set Policy for Remediation
https://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/guide-c07-738370.pdf
AMP on ESA in action
• Real Life example:

• 9500 users organization
• ESA for Email Security
• AMP license activated for eval
• AMP Threat Grid appliance for
sandboxing
• On ESA AMP works after
Reputation Filtering, AS and AV
Message and Content Filters
SMTP SERVER WORKQUEUE SMTP CLIENT
Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption
Received Header Masquerading (Table / LDAP) Virtual Gateways
Default Domain LDAP Routing Delivery Limits
Domain Map Message Filters Received: Header
Recipient Access Table (RAT) Anti-Spam Domain-Based Limits
Alias Table Anti-Virus Domain-Based Routing
Per-Policy Scanning
LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe
SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption
DKIM / SPF Verification Content Filtering DKIM Signing
DMARC Verification Outbreak Filtering Bounce Profiles
S/MIME Verification DLP Filtering (Outbound) Message Delivery
WORKQUEUE
Masquerading (Table / LDAP)
LDAP Routing
Message Filters Message Filters
Anti-Spam
Anti-Virus
Per-Policy Scanning
Content Filtering Content Filtering
Outbreak Filtering
119
Message Filters
myFilter:
if (body-contains('word',1)) AND \
(attachment-filetype == 'Document') {
quarantine('Policy');
}
Content Filters … Are Just Glorified Message Filters!
Content Filters
Message Filter Basics
Message Filter Syntax
Condition(s) Logical Operator(s)
Name myFilter:
if (body-contains('word',1)) AND \
(attachment-filetype == 'Document') {
quarantine('Policy');
}
Action(s)
Filter Conditions
• Can be combined using AND, OR, NOT
• != equals NOT if condition result can be evaluated
• (not (attachment-filetype == 'Document’)) equals (attachment-filetype != 'Document’)
• Mostly support regular expressions
• Least expensive conditions evaluated first
• Unneeded tests are not evaluated
• Inactive filters are evaluated!
Filter Actions
• Executed in order specified
• Final actions: skip-filters, drop, bounce, encrypt, smime-gateway
• Just exit message filters and continue down the pipeline (except drop)
• All filter actions across all matching filters are cumulative
• If a message matches multiple filters which execute the same action, only the last
specified actions is executed WORKQUEUE

Masquerading (Table / LDAP)
LDAP Routing
Message Filters
Anti-Spam
Anti-Virus
Per-Policy Scanning
Content Filtering
Outbreak Filtering
Action Variables
$RemoteIP $MID $filenames $Date
$remotehost $EnvelopeFrom $filesizes $Timestamp
$Reputation $EnvelopeRecipients $filetypes $Time
$RecvInt $Subject $FilterName $GMTTimeStamp
$RecvListener $BodySize $MatchedContent $Hostname
$Group $AllHeaders $dropped_filename
$Policy $Header['string'] $dropped_filenames
$CertificateSigners $dropped_filetypes
Can be used in bcc(), bcc-scan(), notify(), notify-copy(), add-footer(), add-heading(),

log-entry(), insert-header() and edit-header-text().
The Dangers
of Message Filtering
128
Perils of Message Filtering

• Message Filters apply to entire mail flow (incoming AND outgoing)
• All Message Filters are evaluated for all messages
RCPT TO: joe@remote.org MAIL FROM: bob@domain.com
Message Filters occur before Splintering!

• WORKQUEUE
SMTP CLIENT
Anti-Spam
Encryption
Anti-Virus Virtual Gateways
Per-Policy Scanning
MAIL FROM: bob@domain.com RCPT TO: jane@remote.org Advanced Malware (AMP) Delivery Limits
WORKQUEUE Content Filtering Domain-Based Limits
SMTP SERVER Outbreak Filtering

…
LDAP RCPT Accept (WQ) DLP Filtering (Outbound)

Masquerading (Table / LDAP) MAIL FROM: bob@domain.com
Recipient Access Table (RAT) RCPT TO: jane@remote.org MAIL FROM: bob@domain.com
LDAP Routing WORKQUEUE
SMTP CLIENT
… Anti-Spam Encryption
Anti-Virus
Message Filters Virtual Gateways
Per-Policy Scanning
Advanced Malware (AMP) Delivery Limits
Content Filtering Domain-Based Limits
Outbreak Filtering
…
129
Perils of Message Filtering
devNoExe:
if (rcpt-to-group==“Development”) {
drop-attachments-by-filetype(“Executable”);
};
salesNoHTML:
if (rcpt-to-group==“Sales”) {
html-convert();
};
• What happens if a message is sent to two people:

One in Sales group, and one in Development?
• What happens if they are in Development and Management?
• What happens if LDAP server is unavailable?
130
Stuff You Can’t Look For With Content Filters

sendergroup() attachment-binary-contains()
recv-int() workqueue-count()
random() dnslist()
rcpt-count() smtp-auth-id-matches()
addr-count() valid()
attachment_size() signed()
every-attachment-contains() header-repeats()
131
Stuff You Can Look For Better With Message Filters

• spf-status() with Message Filters allows to check separate posture for
• HELO SPF identity - spf-status(“helo”)
• MAIL FROM identity - spf-status(“mailfrom”)
• PRA identity - spf-status(“pra”)
• spf-passed() - faster than spf-status, but less granular

• Naturally, multiple “and” and “or” conditions make rule creation much more
flexible
132
Stuff Exclusive to Content Filters

• Check DKIM verification results
• Workaround: Match contents of Authentication-Result header!
133
Stuff Exclusive to Content Filters (2)

• Match attachment filename
from a dictionary
• Workaround: Insert a header with $Filenames, use header-dictionary-

match()
134
Stuff Exclusive to Content Filters (3)

• Skip DKIM Signing
135
Actions You Can’t Take With Content Filters

no-op() skip-spamcheck()
archive() skip-marketingcheck()
bcc() skip-socialcheck()
edit-body-text() skip-bulkcheck()
html-convert() skip-viruscheck()
bounce-profile() skip-ampcheck()
skip-vofcheck()
Content Filters
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS CONTENT
OFF
FILTERS RSA
OUTBREAK
FILTERS
DLP
OFF Engine
Actions You Can Take

•Quarantine message (or a copy)
Things You Can Look for
•Send copy to (bcc)
•Message Body or Attachments
•Notify someone
•Message Body
•Strip attachments by type
•Message Size
•Redirect message
•Attachment Content
•Insert or Strip a header
•Attachment File Info
•Add footer
•Attachment Protected
•Skip Outbreak Filter processing
•Subject Header
AND •Other Header
•Bounce message, or •Envelope Sender
•Drop message, or •Envelope Recipient
•Skip remaining content filters •Receiving Listener
•Encrypt and Deliver •Remote IP
•Reputation Score
•DKIM Authentication
1. Start By Creating a Content Filter
Remember - you get another set of

policies and content filters for incoming
mail
2. Select the Conditions and Actions Conditions:
Message Body
-- Subject Header
-- Other Header
Attachment
Attachment File Type
(fingerprint)
Attachment Name
Attachment MIME Type
Envelope Sender
Envelope Recipient
Text comparisons:
Contains
Does not contain
Equals
Does not equal
Begins with
Does not begin with
Ends with
Does not end with
… plus a whole lot of
Multiple conditions can be combined Exists
Attachment matching
- either AND or OR choices… and more!
3. Apply the Content Filter to a Mail Policy
1
4. Test with the Trace Tool
Block the unwanted file types
• Within either a content or message filter
an organization can define how to handle
attachments on a per policy basis.
• Commonly customers will create a content
filter to block unwanted file types
• Using the predefined libraries simplifies
the process
• The system will detect changed
extensions or attempts to hide files within
multiple zip levels in order to evade file
blocking
Blocking early in the pipeline
• If files are being outright dropped (i.e Executables) then doing it WORKQUEUE
earlier in the pipeline would save on AV, AMP and OF cycles
strip_all_exes: if (true) { Masquerading (Table / LDAP)

drop-attachments-by-filetype ('Executable', “Removed attachment:
$dropped_filename”);} LDAP Routing
Message Filters
• A non-final action such as quarantine will allow the file to continue
processing the file and any other verdict will apply Anti-Spam
Anti-Virus
Per-Policy Scanning
Content Filtering
Outbreak Filtering
Macro Detection (Version 10.0.2+)
Macro enabled document detection allows the
Email Administrator set Message or Content Filters
policies for email attachments containing macros or
scripts and take the actions of:
• Quarantine the message
• Strip the attachment
• Strip the attachment and add notification text to
the message body
• Modify the subject
• Add header
• Forward to another address
Combine factors for effective blocking
• X-headers that were stamped
• Verdicts from other engines
• Reputation Score of the Sender
• Reputation score of the URL
• Geo-location
• Etc..
• Use a combination of source and content to create security rules that fit your organizations security
posture
• Can be done inside a message or content filter
• Combine actions to quarantine and notify or send the message without the attachment to user
Outbreak Filters
Outbreak Filters Overview
• Outbreak Filters Use the three points of defending against phishing attacks:
• Targeted attack Heuristics
• Dynamic Quarantine Capability
• URL filtering with Cloud web redirection
• The Traditional method of comparing incoming messages to published Outbreak

Filter rules to detect new virus outbreaks.
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS:
FILTERS CONTENT
McAfee FILTERS
Sophos OUTBREAK
AMP FILTERS
ASYNCOS™ Email PLATFORM
Outbreak Filtering
• Think of Outbreak Filters as your safety net – the catch all

• 2 levels of scanning
• By default the ESA has only viral threat detection enabled
147
Enabling Virus Outbreak Filters
• VOF is enabled by default

and provides a dynamic
quarantine (also called
DELAY quarantine) and
based on rules can continue
to hold or release back
though AV and AMP for
additional scans
http://www.senderbase.org/static/malware/#tab=0
LDAP Recipient Acceptance
(Work Queue time)
Taking Action with Virus Outbreak Filter Masquerading or

LDAP Masquerading
LDAP Routing
Talos Message Filters
Anti-Spam
Per-Policy Scanning
Anti-Virus
Content Filters
VirusVirus
Outbreak Filter
Outbreak Filters
“I normally see Outbreak Filters

Work Queue
10 .pif files per hour” apply SenderBase

Got threat level 1 Low
“I see 90% increase
it information to
in .pif files” 2 Low / Med
incoming mail
3 Med
Watch 4 High
out for
.pif files” 5 Extreme
Threat =
3
Calculate
change in threat
level SenderBase data collection allows statistical
analysis to spot virus outbreak trends - on average
13 hours before the signature is released!
Working with Virus Outbreak Filter Updates
Outbreak Filter
V3R
: Zu
R
RIP
le
uu(.le Quarantine
le
V
E1X
V
V:E42Q
),::5ID
uZ0aIP
<E
rsa(iz
n
#
.E
e1
ti<1
n57eE5)r,n
X Z,>
eIP
ale
3m(a6.E
esK=eX
*spEri)ce*
B
Sophos McAfee Virus Outbreak
AMP Filters
Anti-Virus 7
t t er n #11
Pa
Message passes through Anti-Virus because it did not match a signature.
Talos releases RULE-V1 raising threat level for all ZIP files containing .EXE parts. Message
hits Outbreak Filters and is quarantined.
Talos releases RULE-V2, matching only ZIP files with .EXE parts that are larger than 36KB.
Any message quarantined by RULE-V1 but not by RULE-V2 is released and delivered.
Talos releases RULE-V3, matching ZIP files with .EXE parts that are between 50 & 55KB with
“price” in the filename match. Any message quarantined by RULE-V2 but not by RULE-V3 is
released and delivered.
Sophos & McAfee release patterns matching virus. Talos releases RULE-V4, directing all files
to be released (and rescanned) after rule updates are loaded.
Benefits of Virus Outbreak Filters
• Provides a significant catch
rate for outbreaks over
traditional scanning engines
as it provides the “human”
element after signature,
heuristics and hash based
scanning
• On average it provides a 9+
hr lead time over AV
engines for 0-day Outbreaks
https://www.talosintelligence.com/reputation_center/malware_rep#mal-outbreaks
Threat Outbreak Filters
• Enable Threat Outbreak Filters

(not enabled by default) by
enabling Message Modification
• URL Rewriting allows for
suspicious urls to be analyzed
by Cisco Cloud Web Security
(Reputation, AV/AM, AMP)
Understanding where URLs are scanned
• As of version 8.5.6 the ESA can evaluate URLs inside a WORKQUEUE
message – both for Reputation and Categorization LDAP RCPT Accept
(WQ deferred)
• URL filtering is not enabled by default, you must enable the Masquerading
service and have a valid Outbreak Filter license to perform
(TABLE / LDAP)
LDAP Routing
URL inspection
Message Filters
• Once enabled, URLs are evaluated in three scanning blades: CASE (Anti-Spam)
1. During IPAS Scan, a URL is used to factor into SPAM scores Anti-Virus
Inside a Content Filter for Reputation Score and Category
Per-Policy Scanning
2. Advanced Malware (AMP)
3. As part of the Threat Outbreak Filter URL Rewrite function
Graymail Detection
Content Filtering
• 9.7 introduced Web Interaction Tracking for Clicked URLs, DLP filtering (Outbound)
which must be enabled after upgrade
Outbreak Filtering
URL Evaluation and options
• As of version 8.5.6 the ESA can evaluate URLs inside a message – both for Reputation
and Categorization
• URL filtering is not enabled by default, you must enable the service and have a valid
Outbreak Filter license to perform URL inspection
• 9.7 introduced Web Interaction Tracking for Clicked URLs, which must be enabled after
upgrade
154
• The Web Reputation Score (WBRS) uses the same -10 to +10 score,
however it means something very different than SBRS
• Based on you organizations security posture you can determine how
aggressive you wish to be with URL entering your organization
-10 -6 0 +6 +10
Malicious Neutral Good
URL evaluation and options in the message body
• URL Reputation is assessed inside of the CASE engine and used

as part of the decision for Anti-Spam
• If not stopped as Spam the URL can be evaluated inside a content
filter for both Category and Reputation
• Recommendations:
• Block URL: -10 to -6
• URL Remove: -5.9 to -5.8
• Leave the rest for Outbreak
Filters
• Use in condition when you want
to take an action on the whole
message
• Use in action to act on URL only
Understanding URL Modification
• URL modification can happen in two places depending on policy settings, inside a filter
(Message or Content) and as part of an Outbreak Filter verdict
• URLs modified by a Filter with a Re-Direct action will only do a reputation check at click time
• URLs modified by Outbreak Filters will go through deeper inspection, including Malware
scanning and AMP in the cloud
Clean URL Re-writes
• In version 9.7 we introduced an option to do “clean” URL rewrites where only the
HREF tag would be re-written leaving the email looking unmodified
• Option is enabled only through the CLI – All URLs refer to both href and text, by
saying N, it only targets HREF tag
websecurityadvancedconfig > Do you want to rewrite all URLs with secure proxy URLs? [Y]> n
Before Clean URL Rewrites: After Clean URL Rewrites:
Hi, Hi,
Click on the link below for your special offer! Click on the link below for your special offer!
https://secure-web.cisco.com/1adjW1InNsH83UFDjLDFTjer5nJId9J- http://randomofferurl.com
HjqKlbAcaLQ74EH5ViYEStC5jPZqvg_weQJeocAQeEryL5b1JR6T0JgzXkjk1P
UMCBb_eQApCXS6ZsoujzgNvwt9UqN27SN1zcMVjmIpWQN__lTmALmHdG https://secure-web.cisco.com/1adjW1InNsH83UFDjLDFTjer5nJId9J-
MZ_PaFf9FTUvmMc7UjRZBhvHzDvGJ0Lm5uh9evj_C_OemBAy44xbXwmYu HjqKlbAcaLQ74EH5ViYEStC5jPZqvg_weQJeocAQeEryL5b1JR6T0J
gzXkjk1PUMCBb_eQApCXS6ZsoujzgNvwt9UqN27SN1zcMVjmIpW
A3uRPqKrf7T6ZNepA0MlcszDFPwufWUB7bbmS8Ziqh_- QN__lTmALmHdGMZ_PaFf9FTUvmMc7UjRZBhvHzDvGJ0Lm5uh9e
CyjG8KI6fJU33qjnInxHsjOBq98VxQUT- vj_C_OemBAy44xbXwmYuA3uRPqKrf7T6ZNepA0MlcszDFPwufWU
B7bbmS8Ziqh_-CyjG8KI6fJU33qjnInxHsjOBq98VxQUT-
vMf_2U_OlpguXStzGTlj3U__yBZlLZsS9W1xLZpcGUKpdUp8Q_SBBq9HknQ/h vMf_2U_OlpguXStzGTlj3U__yBZlLZsS9W1xLZpcGUKpdUp8Q_SBB
ttp%3A%2F%randomofferurl.com q9HknQ/http%3A%2F%randomofferurl.com
Click or tap to follow
URL Categorization
• URL Categorization on the
ESA leverages the same
data as the Web Security
Appliance (WSA) and
Cloud Web Security
(CWS)
• Use this to compliment
Acceptable Use Policies to
prevent inappropriate
URLs in email
160
URLs in Attachments (11.1)
• Enable lookups in attachments via a Content or Multiple URLS in a document
Message Filter to perform URL reputation of http://website.com

https://newssite.com
links in documents http://malicioussite.com
http://sportsnews.com
• Office / OLE objects can be analyzed (i.e doc,
docx, xls, ppt, pdf)
• If a malicious URL is found, action is taken on
the message, not just the attachment
• Default limit of URLs scanned is 25, can be
configured via CLI
• URLs in attachment will not be re-written
Enabling Shortened URL Expansion (11.1)
• This feature will allow for URLs that are using a Malicious URL behind a shortener service
shortening service will be pre-expanded to get http://bit.ly/xyz123s34

base the URLs
• The ESA will query the service directly to get the http://www.badsite.com
base URL
Services supported (23):
• Up to 10 redirections / queries will be supported • post.ly
• bit.ly • tl.gd
before the URL is marked as malicious • tiny.cc
• tinyurl.com • plurk.com
• ustre.am
• Must be enabled via the CLI • ow.ly • url4.eu
• tumblr.com • j.mp • tr.im
websecurityadvancedconfig > Do you want to enable URL filtering for shortened URLs? [Y]> Y • formspring.me • goo.gl • ur.ly
• ff.im • yfrog.com • fb.me
• youtu.be • su.pr • alturl.com
• chatter.com • wp.me
Structuring effective rules for URLs in Attachments
• Reputation lookups are low on
resources, however care should
still be taken when crafting rules
• Target attachments from untrusted
/ unknown sources for further
analysis
• Use message filters to eliminate
globally unwanted / restricted file
types to reduce the number of files
being analyzed
Web Interaction Tracking & Reporting
• On box reporting (batch) can provide
valuable insight into who clicked on
certain URLs
• More valuable as a training tool and
understanding who is being targeted
inside your environment
• Reporting and Tracking pages will
show the URLs (Tracking in 10.0 for
URL details)
Quarantines
• Quarantines are places to hold emails that violate policies: Anti-Spam, Anti-Virus, AMP,
email policy, and that contain outbreaks
• Spam Quarantine, Outbreak, Policy, and Virus quarantines are enabled by default
• Can create other quarantines as needed or desired to fit company policy
• The system has finite space for quarantines on box. For more Spam Quarantine space,
use an M-series appliance. Policy quarantines are not yet able to be centralized on the M
Series
Encryption
TLS Setup
§ TLS is not enabled by default on the ESA for inbound or outbound

§ TLS / SSH uses weak ciphers by default on the ESA
§ Change ciphers: http://www.cisco.com/c/en/us/support/docs/security/email-security-
appliance/117855-technote-esa-00.html
§ Destination Controls can enforce TLS on outbound messages and Mail Flow Policies
167
Enforce TLS on outbound messages - Destination controls
• TLS Settings for outgoing connections for specific domains/partners
• Bounce verification and profile settings
End-to-End Email Encryption
Cisco Registered Envelope Service turnkey email encryption
§ The only cloud-based encryption key server flexible enough to meet the evolving
secure-communications requirements of businesses today
§ Hosted key service Encryption key is

§ Uses federated identity gateway stored in the cloud
Integrated MTA to
§ Push technology with intuitive MTA TLS enforced
policy management security with
§ We make encryption easy for end advanced end to
users – a key adoption barrier end encryption to
§ Supports SAML for federated meet evolving
identity customer
requirements
§ Technology independent – use
your inbox or mail server of choice
End user experience
Guaranteed Secure Delivery
Secure Envelope when you must, TLS when you can
PUBLIC RECIPIENT
SUE
TO:SUE
Internet
TO: SUE and BOB TLS C
ON NECT
ION
TLS
CON
NECT
ION
BOB
PARTNER RECIPIENT
TO: BOB
Destination-Sensitive Email Encryption

§ Use TLS if available
§ Otherwise, encrypt using PXE Secure Envelope
§ Enable in Message and Content Filters, and DLP Policies
Setting Up Email Encryption
1. Enable Email Encryption
2. Configure Encryption Profile (multiple profiles may be configured)
3. Provision with Cisco Registered Envelope Service
4. Define policy via Content Filter(s)
5. Reference the Content Filter in a Mail Policy
6. Test using the trace and sample outbound emails

Encryption
Profile Provision
CRES
CRES Setup
§ CRES requires that the serial and

admin account be added to the back
end systems before enabling CRES
§ If new appliances (including VMs) or
net new service is being set up there
is one additional step before
provisioning will
§ Email stg-cres-
provisioning@cisco.com to have
serial # provisioned
173
1. Enable Email Encryption
2. Configure the Encryption Profile
Key Server Settings
Key Server Type

§ Hosted Key Service: Use Cisco Registered Envelope
Service *, a managed service by Cisco/IronPort
§ Local (IronPort Encryption Appliance):use a key server
managed by customer and running locally on an IEA
2. Configuring the Encryption Profile
Envelope Settings Security Services > IronPort Email Encryption > Add Encryption Profile
§ Message Security
§ Control if Recipient can
cache credentials in
browser
§ Or Remove the need for
Recipients to register
§ Read Receipts
§ If enabled, sender gets
read receipt when msg is
opened
§ Guaranteed—can’t be
blocked by recipient
§ Encryption Algorithm
§ ARC4: industry standard, secure algorithm. Appropriate
for most applications.
§ AES: ultra-secure, used mainly by governments and
banks. Results in slower envelope opening for recipients.
2. Configure the Encryption Profile
Message & Notification
§ Message Settings
Enable Secure
Reply All and Forward
buttons for recipients
§ Notification Settings
(Optional) Define custom notifications using Text
Resources.
§ Mail Policies > Text Resources > Add Text
Resource
Select them here, using drop downs.
Commit Your Changes!
• Must Commit before you can provision!
Provision the Profile With
Cisco Registered Envelope Service
Security Services > IronPort Email Encryption
• Registers the appliance with the Cisco Registered Envelope Service

•Authenticates the appliance and associates with an existing account
•Allows keys to be registered when messages sent
• Must happen before encrypted messages can be sent

• Does not apply to local key server
Initiate Encryption with Content Filters
Define the Encrypt Condition
Message Policies > Outgoing Content Filters > Add Content Filter > Add Condition
The "\" is an escape for regex Meta characters

Remember to put a
"\" in front of Meta characters in the GUI
"\\" in front of Meta characters in the CLI
Meta characters include: ^ $ * \ . ? | + [ and ]

Define The Encrypt Action
Message Policies > Outgoing Content Filters > Add Content Filter>Add Action
Email Encryption
Zix Gateway with Cisco Technology
Automate encryption Automate delivery to Exchange encrypted Provide the optimal

for employees the most secure, most email transparently mobile experience
convenient method
Zix Gateway with Cisco Encryption
• BMOD enables automatic External Recipients
transparent secure delivery Secure
Pull
• Send-to-Any Email Address (HTTPS)
via push or pull Zix ZCT Transparent Secure Delivery
• Encryption triggered via ESA Zix Cloud Directory Secure hosted portal
by keywords | policies | To |
Other Zix
From | etc. Customer Premises Users
• Automated Key Management
• No Desktop Software
Required Cisco ZCT TLS users
• ZixPort allows message Mail Server ESA
attachments up to 50MB
PU
SH
PXE
Senders Push
(employees)
External DB
(PXE keys)
Regular
Outbound Email
ZixPort Secure Portal Delivery
• Very user-friendly and customizable.
Click ‘Open Message’ …Enter password … that’s it!
• Many useful features and configuration options:

• Custom branding
• Very simple two-step registration
• Multi-language interface
• Fully customizable feature set
• Reply/Reply All/Forward
• Compose feature
• Password rules
• Message expiry … and more
Anti-Spoofing and Anti-phishing
Impact of Social Engineering
• Social Engineering has added to the
success rate for spoofing attacks.
Attackers will follow targets for months, on
social media, news, etc.
• Will craft messages with “history” to add
legitimacy to the request being made
• They will look for an event – i.e travel
abroad, large deals, vendor agreements
and use it to express urgency
• Along with technical controls, user
education is key to prevent financial lost,
brand damage, or legal ramifications.
Think Before You Click
Think Before You Click
Addressing the Simple Spoof
Mon Jun 26 16:48:31 2018 Info: New SMTP ICID 238970 interface Data 1 (216.71.129.13) address
72.142.13.157 reverse dns host unallocated-static.rogers.com verified no
Mon Jun 26 16:48:31 2018 Info: ICID 238970 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None country
Canada
Mon Jun 26 16:48:54 2018 Info: Start MID 137251 ICID 238970
Mon Jun 26 16:48:54 2018 Info: MID 137251 ICID 238970 From: <ceo@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 SMTP Call-Ahead bypass applied to
<bob@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 RID 0 To: <bob@dinconsulting.com>
Mon Jun 26 16:49:40 2018 Info: MID 137251 Subject 'Re: Please pay this...'
Mon Jun 26 16:49:40 2018 Info: MID 137251 ready 202 bytes from <ceo@dinconsulting.com>
Mon Jun 26 16:49:40 2018 Info: MID 137251 matched all recipients for per-recipient policy
DINCONSULTING in the inbound table
<scan results> …
• Typically will be a compromised host, on a hosting service or dynamic IP

• In this example, an obvious spoof of a domain that owned by the target
• Without any connection level verification, little info to use to help convict the message
How it works: SPF
• Allows recipients to verify sender IP addresses by looking up DNS records listing
authorized Mail Gateways for a particular domain
• Uses DNS TXT Resource Records
• Can verify HELO/EHLO and MAIL FROM identity (FQDN)
• Upon evaluation of SPF records, the following can these results:
Result Explanation Intended action
Pass The SPF record designates the host to be allowed to send accept
Fail The SPF record has designated the host as NOT being allowed to send reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral The SPF record specifies explicitly that nothing can be said about validity accept
None The domain does not have an SPF record or the SPF record does not evaluate to a result accept
PermError A permanent error has occurred (eg. badly formatted SPF record) unspecified
TempError A transient error has occurred accept or reject
SPF Operation
Work out which Get incoming
machines send connection
DNS TXT
Parse SPF record
RR
Check remote IP,

Outgoing msg Just forward it HELO/EHLO,
MAIL FROM
Deliver/Drop/
Quarantine…
Enable SPF Verification
• Configured in Mail Flow Policy
• When SPF is enabled, the ESA will

stamp headers in the message
• Use the results inside message or

content filters to determine the action
• PRA identities are evaluated in the

message filters only
• SPF vs SIDF, an interesting read:

http://www.openspf.org/SPF_vs_Send
er_ID
After enabling SPF
Mon Jun 26 16:48:31 2018 Info: New SMTP ICID 238970 interface Data 1 (216.71.129.13) address 72.142.13.157
reverse dns host unallocated-static.rogers.com verified no
Mon Jun 26 16:48:31 2018 Info: ICID 238970 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None country Canada
Mon Jun 26 16:48:54 2018 Info: Start MID 137251 ICID 238970
Mon Jun 26 16:48:54 2018 Info: MID 137251 ICID 238970 From: <ceo@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 SMTP Call-Ahead bypass applied to
<bob@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 RID 0 To: <bob@dinconsulting.com>
Mon Jun 26 16:49:18 2018 Info: MID 137251 SPF: helo identity postmaster@dinconsulting.com Fail (v=spf1)
Mon Jun 26 16:49:18 2018 Info: MID 137251 SPF: mailfrom identity ceo@dinconsulting.com Fail (v=spf1)
Mon Jun 26 16:49:40 2018 Info: MID 137251 SPF: pra identity None headers None
Mon Jun 26 16:49:40 2018 Info: MID 137251 Subject 'Re: Please pay this...'
Mon Jun 26 16:49:40 2018 Info: MID 137251 ready 202 bytes from <ceo@dinconsulting.com>
Mon Jun 26 16:49:40 2018 Info: MID 137251 matched all recipients for per-recipient policy DINCONSULTING in
the inbound table
<scan results> …
SPF Record: TXT="v=spf1 include:spf.protection.outlook.com -all"
• By enabling SPF, you gain additional intelligence on the sender

• We still accepted the message, but can use the verdict later to make a decision to convict the message
• Effectiveness is bound by participation – you need to invest time to ensure SPF records are up to date
How it works: DKIM
• Domain Keys Identified Mail, Specified in RFC5585
• In a nutshell: Specifies methods for gateway-based cryptographic signing of outgoing
messages, embedding verification data in an e-mail header, and ways for recipients to
verify integrity of the messages
• Additional RFCRFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment
and Operation), RFC5617 (Author Domain Signing Practices (ADSP))
• Uses DNS TXT records to publish public keys
20120113._domainkey.gmail.com IN TXT “k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabg
bFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD
0""7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz
8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/
wIDAQAB”
DKIM Operation
Generate
Receive msg
keypair
DNS TXT RR
Parse DKIM-
Canonicalize Signature
Outgoing msg +
Sign
Verify
b and bh
Insert
DKIM-Signature Deliver/Drop/
Quarantine…
DKIM Signature
Example DKIM-Signature Header
Algorithms used Canonicalization scheme

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
Signing Domain ID Selector
d=ietf.org; s=ietf1;
Signed Headers
h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe;
Header Hash bh=+ImqGr4kx/dtZpQKjmcWyVJtHFzo8kD6dIgqvZvk2gY=;
Body Hash b=DmDxUUN1XBQTWb99003VdnQn5ntUmK6kvuF6Iu/ZFmIHjoo/r5B85Cu8u4
xHlZF2gh664WyOb2ffYJ9bcfwb3JvT6d3bndL8/bvYtOXUR7g1MqMc32Zn/d
60pXWbQOa16+ZW6KwwWF+mDlhpztNwFsG6oRprrLUUzBSupVx7s74=
Enable DKIM Verification
1 2
1. Create profile for action on DKIM (Default is

Monitor)
2. Enable DKIM Verification in Mail Flow Polices
3. Act on failures via a content filter. Use an action
to Policy quarantine to be able to review spoofs
Logging additional headers
Sat Jun 17 05:29:54 2018 Info: MID 94398 ICID 188033 From: <bob@gmail.com>
Sat Jun 17 05:29:54 2018 Info: Message done DCID 1496 MID 94399 to RID [0] [('from', 'Uncle Bob <bob@gmail.com>')]
• Under Log Subscriptions Settings or the logconfig command in the CLI, you can
configure additional headers to be logged
• These will be displayed in the mail_logs and message tracking output upon
creation of a DCID (Delivery Connection ID)
Disclaimers and Action Variables
• You can create a wide variety of text resources that can be used in filters as actions for
suspected messages
• Action Variables can be used inside the text resource as well as content / message filters
Detecting a Reply-To Mismatch
Reply-To Header
From Header
Cousin Domains and Typo-Squatting
• Typically targeted to a specific well known brand Example: cisco.com

• Uses various techniques in the attempt to fool the end Addition: ciscoo.com
user into trusting the sender
Bitsquatting: cicco.com
• Will register the domain and create SPF, DKIM and
DMARC records Homoglyph: c1sco.com
• Will legitimize the sending host with proper DNS and Insertion: ciseco.com
rDNS records Omission: cico.com
Repetition: cissco.com
Replacement: cizco.com
Subdomain: c.isco.com
Transposition: csico.com
Using DNS Twist
Main page: https://github.com/elceef/dnstwist
__| |_ __ ___| |___ _(_)___| |_

/ _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V V /| \__ \ |_
\__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.03}
Processing 140 domain variants

....................................22%......................44%
.......65%...........85%.... 85 hits (60%)
Original* cisco.com 72.163.4.161 2001:420:1101:1::a

Addition ciscoa.com 52.7.234.86
Addition ciscob.com -
Addition ciscoc.com 103.224.182.238
Addition ciscod.com 184.168.221.45
Bitsquatting cmsco.com 50.204.65.37
Bitsquatting casco.com 208.73.210.202
Bitsquatting cysco.com 121.254.178.253
Bitsquatting circo.com 208.73.210.202
Bitsquatting cicco.com 146.112.61.107
Homoglyph cisc0.com 66.45.246.141
Homoglyph c1sco.com -
Homoglyph clsco.com 64.254.28.227
Repetition cissco.com 146.112.61.107
Replacement cisci.com 185.65.56.178
Subdomain cisc.o.com -
Transposition icsco.com 205.178.189.131
Transposition csico.com 23.236.62.147
How it works: DMARC
• Domain-based Message Authentication, Reporting And Conformance
• Defined in RFC 7489
• Provides:
• DKIM verification
• SPF authentication
• Synchronization between all sender identities (Envelope From, Header From)
• Reporting back to the spoofed entity
How it works: DMARC
• Both DKIM and SPF have shortcomings, not because of bad design, but
because of different nature of each technology
• DKIM policy advertising was addressed by ADSP, but:
• There was no visibility by spoofed parties into offending traffic
• Even though a receiver implemented both SPF and DKIM verification, there was no
requirement of the two technologies being in sync
• A smart attacker might make use of this to push illegitimate messages through
• SPF checks HELO/MAILFROM identity, but no verification or alignment of

Header From is ensured
• Thus, DMARC was born:
• Leveraging great existing technologies, providing a glue to keep them in sync, and
allowing senders to mandate rejection policies and have visibility of offending traffic
How it works: DMARC record structure
TXT Record for Domain amazon.com Version of DMARC Action on Auth Failure % of messages to apply policy
_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\; pct=100\;

rua=mailto:dmarc-reports@bounces.amazon.com\; ruf=mailto:dmarc-
reports@bounces.amazon.com
Aggregate Feedback report URI Forensic Feedback report URI
DMARC Operation
SPF (or TXT) Apply DMARC
Publish SPF Check SPF
DNS RR Policy
DKIM (TXT) Send DMARC

Publish DKIM Check DKIM
DNS RR Report(s)
DMARC (TXT) Fetch DMARC

Publish DMARC
DNS RR Policy
Insert Align
Outgoing msg
DKIM-Signature Identifiers
How to enable DMARC
1 • DMARC is configured via by
creating a profile and then
applying the profile to a Mail
Flow Policy
• By default the profile is set to
Monitor for DMARC violations,
however it needs to be applied
2 to a policy for it to evaluate
DMARC records
• Monitor and Tune settings and
SenderGroups and move to
blocking when ready
Honor thy tag
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@yahoo.com

Tue Jun 27 00:09:24 2018 Info: MID 140370 ICID 242100 From: root@cannon.teamnorthwind.com
Tue Jun 27 00:09:24 2018 Info: MID 140370 ICID 242100 RID 0 To: usman@dinconsulting.com
Tue Jun 27 00:09:24 2018 Info: MID 140370 SPF: helo identity postmaster@cannon-master None
Tue Jun 27 00:09:24 2018 Info: MID 140370 SPF: mailfrom identity root@cannon.teamnorthwind.com None
Tue Jun 27 00:09:25 2018 Info: MID 140370 SPF: pra identity gguy@yahoo.com None headers from
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Message from domain yahoo.com, DMARC fail, (SPF
aligned False, DKIM aligned False) DMARC policy is reject, applied policy is reject
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Verification failed.
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Message rejected by DMARC policy.
Tue Jun 27 00:09:25 2018 Info: MID 140370 rejected by DMARC policy
Tue Jun 27 00:09:25 2018 Info: Message aborted MID 140370 Receiving aborted
Use DMARC pass/fail as a factor in filters
• DMARC results are stored in the x-authentication-results header
• This can be leveraged inside a Content or Message Filter if DMARC is not
being used to block during the connection phase
• Use the header results along with other factors such as Geo-Location, Forged
Email Detection, etc. to increase accuracy of a possible threat
Tools to help get you started
DMARC Lookup Tools:
https://www.agari.com/project/dmarc/, https://www.valimail.com/dmarc/domain-
checker#/
DMARC Wizard:
https://dmarc.globalcyberalliance.org/
DMARC Aggregation Reporting Tool (FREE!)
http://dmarc.postmarkapp.com/
Forged Email Detection – Header Fuzzy Matching
1 2
MID 143464 Forged Email Detection on the From: header with score of 100
Info: Message done DCID 1570 MID 143464 to RID [0] [('From', ‘Angry Bossman <angryboss@gmail.com>']
• The idea behind Forged Email Detection is to provide a method to match the Display
Name in the From Message header to Executives or High Value Personnel
• This feature can help narrow down targeted spoofs, that can leverage any action inside a
content or message filter and can also strip the From header to expose the envelope
from.
• Using it alone is prone to false positives! Use in conjunction with other conditions
What are we matching?
• Forged Email Detection focuses on matching the Header From (RFC5322) and
specifically the Display Name (i.e First Last <user@domain.com>)
• Fuzzy Matching samples:
Amgry Bossman -> Forged Email Detection on the From: header with score of 93
Angerry Bossman -> Forged Email Detection on the From: header with score of 92
Angry Bosman -> Forged Email Detection on the From: header with score of 96
Angry B0ssman -> Forged Email Detection on the From: header with score of 93
Angry Bossm4n -> Forged Email Detection on the From: header with score of 92
Andry Bossman -> Forged Email Detection on the From: header with score of 92
Example Forged Email Detection Filter
Before fed() After fed()
Strip From header

Insert Disclaimer
• In this example we added the

reputation score of the
sender to focus the matches
on untrusted senders
• By leveraging Forged Email

Detection we can take an
action to strip the headers
and any additional actions
that may be required
• Use in combination with a

User Training program
Advanced Phishing Protection
Domain Protection
95% of All Successful Cyber Attacks are Caused by Phishing
Business Email Compromise
Breach-focused Attacks Customer Phishing
“BEC”
From: Bertolini, Mark (Chairman & CEO) From: cyndikane@company-a.net From: Amazon Web Services <noreply-
To: Guertin, Shawn To: jmcnamara@company-b.com aws@amazon.com>
Subject: Outgoing payment Subject: Fwd: Proforma Invoice To: srobson@informatica.com
Subject: Confirm your AWS Account
$100M 96% $9.1B

lost by Google and of breaches in global losses
Facebook communicated via email
in Sources:
partner invoicing scam
RSA Global Fraud and Cybercrime Forecast 2017, Verizon Data Breach Digest 2018.
21
7
Advanced Phishing Attacks Use Identity Impersonation
Content Deception Identity Impersonation
Zero Day
Attacks $
Email
Malware Spear Business
Social Email Account
Spam Eng Attacks Phishing Takeover
Compromise
2000s 2015 2017 2018
Cisco Cloud Security Solutions
Next Generation ATP Email Authentication/DMARC
Advanced Phishing Protection Domain Protection
Protects employees from BEC, ATO and other advanced

Email attacks
Trust Protect partners and customers from phishing using your

brand
Platform Identity Intelligence (AI2) model trusted behavior
Advanced Intelligence
• Learns and authenticates
identities and behavioral
relationships for enhanced
protection
Advanced Phishing
Protection Reduces Business
Email Compromise
• Better understand which
emails carry targeted phishing
attacks so only legitimate
emails are in inboxes
22
0 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Advanced Phishing Protection
SEGs Use IP and From: Tony Nicely <trnicely@geico.com>

Looks Beyond
Content Blacklists Received: from nmail2.netsuite.com (167.216.129.208)
Sent: 10-Oct-2017 2:25:44 UTC
to Understand Identity
To: Mike Campbell <mcampbell@geico.com>
Reply-To: Tony Nicely <ceo.exec@gmail.com>
✓ IP Reputation Subject: Urgent Wire Transfer ✕ Organizational Behavior
✓ Spam & Outbreak Filters Hi Mike, ✕ Infrastructure Behavior
✓ Forged Email Detection As you know, I’m on the road today. I’d like you to set up and initiate a wire ✕ Individual Behavior
transfer with the attached details. I’ll follow up with details when I get back in
✓ Payload Analysis the office later this week. ✕ Relational Model
Cheers,
Tony
Verdict: Clean Verdict: Deceptive
BEC is an Identity Deception Problem
7% From: GIECO <support@G1ECO.com>
Look-alike Domain
Domain Received: from: mail.other.com [121.32.54.124]
12% From: Tom Nicely <ceo@GIECO.com>
Spoofing
BEC attacks
up 2370%
Over $9B in
exposed $
Display Name 81% From: Tom Nicely <ceogieco@GMAIL.com>
loss
Deception
Advanced Phishing Protect Flexible Architecture
Office 365/G-Suite
SEG
Identity IntelligenceTM
BEC APT ATO MS Exchange
224
Identity Intelligence™ (AI2) Components

Identity Mapping Behavioral Analytics Trust Modeling
Which Identity is perceived Does this message match How is the perceived
to be sending this the expected behavior for Identity related to the
message? that identity? recipient?
225
Example of a Blocked ATO-based Attack
Agari Identity Intelligence now blocks this new attack vector
Rapid DMARC Authenticates Inbound Own Domain Email
Inbound DMARC Authentication & Enforcement
Automatically Discovers & Builds a Sender Inventory
Immediate Protection with minimal Operational Impact
Own-Domain Inbound Email
HR
System
Payroll
Employee
System Inbox
Exec
Spoof
Protect Your Brand
• Easily analyze, update and take
action against those misusing
your domain to send malicious
email
• Validate those who use your
domain appropriately
Domain Protection
DMARC Authentication
Stopping Phishing and Brand Abuse
• Compliant with new US
Department of Homeland
Security Regulations
• Drive to DMARC Enforcement
with proven tools and services
22
7 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Email’s Fundamental Flaw – Unknown Sender Identity
SENDERS RECEIVERS
1 Unknown identity of senders
2 Infinite attacks possibilities
3 Volume – 200B emails/day
FROM: ?
Why Is There Still Phishing?
Cisco Secures 90% of DMARC email volume globally
SENDERS RECEIVERS
DMARC ENABLED DMARC ENABLED

MAILBOXES IN THE US MAILBOXES GLOBALLY
85% 70%
Source: Facebook via DMARC.org Source: DMARC.org
229 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
Adoption is Limited and Few Companies are at Reject
Fortune 5 0 0 D M A R C a d o p tio n rate a n d
33%
e n f o rc e m e n t status by industry
of Fortune 5 0 0 C o m p a n ie s
have a D M A R C policy. 60%
"Reject" Policy "Quarantine" Policy "None" Policy
50%
33%
40%
of FTSE 1 0 0 H a v e a
D M A R C P o l i c y. 30%
20%
10%
27% of ASX 1 0 0 have

a D M A R C policy. 0%
23 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Your Email Ecosystem
DATA ANALYTICS
THREAT &
INFRASTRUCTRE
ALERTS
209 3,908 1.2B 1.3M 194M 1.25M

Chase Chase Legitimate Spoofing Malicious Malicious
Domains Servers Emails Servers Emails URLs
Automated Prevention of Phishing
• Automates getting to DMARC enforcement (P=Reject)
• Maintains enforcement as ecosystem evolves
233
Automating Email Authentication

1. Email Cloud Intelligence – Automated
discovery and intelligence on 3rd party email
senders
2. Automation of SPF creation - streamline
implementation of SPF, DKIM, and DMARC
to protect customers and supply chain
3. Hosted SPF - Option to have Agari host
DMARC and SPF records or use Agari tools
to build self-hosted records
Before Domain Protection
Day 1 With DP – Visibility Into Your Brand Abuse
Your Sender Locations
Protected
Malicious Senders
After DP – Stop Phishing Message From Being Delivered
Your Sender Locations
Protected
Malicious Senders
Protecting the Email Channel
Summary
In Summary
• The days of set it and forget it are long gone – continuous monitoring and tuning are required to keep
up with todays threats
• Understand what your organizations security posture is and apply it to your appliances
• Keep your appliances updated – we are constantly introducing new features that require upgrades /
updates
• Check out our Chalktalks on Youtube and Guides on Cisco.com to help with tuning and setup new
features on Cisco Email Security
Anti-Spam Tuning Checklist
q Assess your Host Access Table – still q Use the new granular policies to create
using the defaults? Time to adjust the better Incoming Mail Policies
scores
q Move the logic from the filter to the policy
q Create more SenderGroups and get to create more efficient settings
gradually more aggressive in your
settings q Turn on Graymail and Threat Outbreak
Filtering to get more insight and better
q Check your WhiteLists - entries could be efficacy
years old, ip changed, etc. Use the
comments to keep track and prune q Check your file size limits: Defaults are
regularly low and could potentially allow threat
messages through
q Check your Mail Flow Policies and turn
on Sender limits, Sender Verification, etc. q Upgrade, Upgrade, Upgrade!
File Handling Checklist
q Create a filter to block, quarantine or q Evaluate AMP if you don’t have it
strip attachment that are deemed risky already
for the organization
q AMP will hash all files and ask for file
q Use AV to block the known viruses. reputation
Cleaning / Repairing viruses from files
may be something you want to turn off q Set the File Analysis Pending action to
Quarantine to hold the message until a
q Ensure Virus Outbreak is turned on all verdict is available
your policies, it provides an average
10+ hr lead time on 0-day attacks q Macro inspection is performed by File
Analysis on AMP along with other file
q Upgrade to 10.0.1 and use the Macro types
Filter to detect and take an action on
unwanted files q Remediation is now available with
Office 365 with the Azure API
Phish & Spoofing Checklist
q Enable URL Filtering on the ESA q Make a plan to enable SPF, DKIM and
DMARC
q Enable Web Interaction Tracking (if permitted
by policy) q Know who your allowed external spoofs are
by tracking them via filters and policies
q Enable certain admin users URL visibility in
Message Tracking if permitted by policy) q Build the list as the exception, trap all others
q Enable Threat Outbreak Filtering and message q With 10.0 use the Forged Email Detection
modification – warn your users! Feature to look for matches on the display
name, if too close to call, drop the From
q Whitelist your partner URLS, use the scores to header
create filter for others
q Send a copy of suspected spoofs to a
q Combine the reputation rules and leverage quarantine for review and then tune your
language detection as part of the logic rules to start blocking messages
q Use the policies to define the level of
aggression for rule sets
Summary of Recommendations
Security Services CLI Level Changes
q IronPort Anti-Spam q Web Security SDS URL Filtering
q Always scan 1MB and Never scan 2MB • websecurityadvancedconfig >
q URL Filtering • disable_dns=1 , max_urls_to_scan=20 , num_handles=5 , default_ttl=600
q Enable URL Categorization and Reputation q URL Logging
q Enable Web Interaction Tracking • outbreakconfig> Do you wish to enable logging of URL's? [N]> y
q Graymail Detection • http://www.cisco.com/c/en/us/support/docs/security/email-security-
q Enable and Maximum Messages size 1 MB
q Clean URL Rewrites
q Outbreak Filters
• websecurityadvancedconfig > Do you want to rewrite all URLs with secure proxy
q Enable Adaptive Rules, Max Scan size1 MB URLs? [Y]> n
q Enable Web Interaction Tracking
q Anti-Spoof Filter
q Advanced Malware Protection • https://supportforums.cisco.com/sites/default/files/attachments/discussion/forged
q Enable additional file types after enabling feature _email_detection_with_cisco_email_security.pdf
q Message Tracking q Header Stamping Filter
q Enable Rejected Connection Logging (if required) addHeaders: if (sendergroup != "RELAYLIST")
{
System Administration insert-header("X-IronPort-RemoteIP", "$RemoteIP");
insert-header("X-IronPort-MID", "$MID");
q Users insert-header("X-IronPort-Reputation", "$Reputation");
q Set password policies insert-header("X-IronPort-Listener", "$RecvListener");
q If possible leverage LDAP for authentication insert-header("X-IronPort-SenderGroup", "$Group");
q Log Subscriptions insert-header("X-IronPort-MailFlowPolicy", "$Policy");
}
q Enable Configuration History Logs
q Enable URL Filtering Logs
q Log Additional Header ‘From’
Host Access Table Incoming Mail Policies
q Additional SenderGroups q Anti-Spam thresholds
q SKIP_SBRS – Place higher for sources that skip reputation q Positive = 90, Suspect = 39
q SPOOF_ALLOW – Part of Spoofing Filter
q Anti-Virus
q PARTNER – For TLS Forced connections
q Don't repair, Disable Archive Message
q In SUSPECTLIST q AMP
q Include SBRS Scores on None
q Add "AMP" to Subject Prepend for Unscannable, Disable Archive Message
q Optionally, include failed PTR checks
q Graymail
q Aggressive HAT Sample q Scanning enabled for each Verdict, Prepend Subject and Deliver
q BLACKLIST [-10 to -2] POLICY: BLOCKED q Add x-header for Bulk email header = X-BulkMail, value = True
q SUSPECTLIST [-2 to -1] POLICY: HEAVYTHROTTLE
q GRAYLIST[-1 to 2 and NONE] POLICY: LIGHTTHROTTLE q Outbreak Filters
q ACCEPTLIST [2 to 10] POLICY: ACCEPTED q Enable message modification. Rewrite URL for unsigned message.
q Change Subject prepend to: [Possible $threat_category Fraud]
Mail Flow Policy (default)

q Security Settings
Outgoing Mail Policies
q Set TLS to preferred q Anti-Virus
q Enable SPF q Anti-Virus Virus Infected: Prepend Subject: Outbound Malware Detected:
q Enable DKIM $Subject.
q Enable DMARC and Send Aggregate Feedback Reports q Other Notification to Others: Order form admin contact
q Anti-virus Unscannable don't Prepend the Subject
q Uncheck Include an X-header with the AV scanning results in Message
Policy Quarantines Content Filters
q Pre-Create the following Quarantines q Inappropriate language Content Filter
q Inappropriate Inbound q Conditions Profanity OR Sexual dictionary match, send a copy to the
q Inappropriate Outbound Inappropriate quarantine.
q URL Malicious Inbound q URL Malicious Reputation Content Filter
q URL Malicious Outbound q Send a copy to the URL Malicious (-10 to -6) to quarantine.
q Suspect Spoof
q URL Category Content Filter with these selected
q Malware
q Adult, Pornography, Child Abuse, Gambling.
q Send a copy to the Inappropriate quarantine.
Other Settings q Forged Email Detection
q Dictionaries q Dictionary named "Executives_FED"
q Enable / Review Profanity and Sexual Terms Dictionary q FED() threshold 90 Quarantine a copy.
q Create Forged Email Dictionary with Executive Names q Macro Enabled Documents content filter
q Create Dictionary for restricted or other keywords
q if one or more attachments contain a Macro
q Destination Controls q Optional condition -> From Untrusted SBRS range
q Enable TLS for default destination q Send a copy to quarantine
q Set lower thresholds for webmail domains
q http://www.cisco.com/c/en/us/support/docs/security/email-security-
q Attachment Protection
q if one or more attachments are protected
q Optional condition -> From Untrusted SBRS range
q Send a copy to quarantine
Resources
• ESA ChalkTalks: https://www.youtube.com/playlist?list=PLFT-9JpKjRTANXKBmLbQ611TPYLXbUL_0
• URL Best Practices:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-
00.html?referring_site=RE&pos=2&page=http://www.cisco.com/c/en/us/products/collateral/security/ema
il-security-appliance/white_paper_c11-684611.html
• Anti-Spam Tuning Guide:
http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-
732910.html
• Other Guides:
http://www.cisco.com/c/en/us/products/security/email-security-appliance/white-paper-listing.html
• Knowledge base:
http://www.cisco.com/c/en/us/products/security/email-security-appliance/q-and-a-listing.html
Email Security Appliance – Cisco on Cisco
Emails delivered Emails / mo Emails / day Emails / employee / day %

Attempted 124 M 5.6 M 73
Blocked 77 M 3.5 M 46 63%
Delivered 37 M 1.7 M 22 30%
Delivered, marked “Marketing” 9M 0.4 M 5 7%

ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %
By reputation 73 M 3.3 M 43 94%

Malware
Spam By spam content 4.3 M 0.2 M 3 5%
By invalid receipts 0.4 M 0.02 M 0.25 1%
3.5M Emails blocked each day

Thank you

ESA Bootcamp

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ESA Bootcamp

Uploaded by

Copyright:

Available Formats

Cisco Email Security:

Dragan Novaković, Security Consulting Systems Engineer

• Short History of SMTP

Source: http://openmap.bbn.com/~tomlinso/ray/ka10.html, retrieved 01 Dec 2014. Photograph courtesy of Dan Murphy,

Source: http://mercury.lcs.mit.edu/~jnc/tech/arpageo.html, retrieved 01 December 2014.

TUESDAY, MAY 9, 1978 - 2 PM

THURSDAY, MAY 11, 1978 - 2 PM

Always try to deliver!

421 Please Try Again Later 500 No Such User

• Temporary errors • Permanent errors

220 mx1.hc4-93.c3s2.smtpi.com ESMTP To: <dnovakov@cisco.com>

Curt Von <Curt@hotmail.com>

This is a multi-part message in MIME format.

Please let me know when you get this!

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

--Boundary_11111-- Closing Boundary_11111

Software Subscription Bundles

Antivirus/Anti-spam Outbreak Filter DLP Encryption

PREMIUM = INBOUND + OUTBOUND

Where does all of this live?

Internal Network DMZ

Traffic flow and installation connectivity will depend on the customer’s

§ Public interface protected by firewall

§ Both interfaces are protected by the firewall

§ System protected by firewall

§ System is well protected

§ Meets the most stringent customer connectivity needs

West Coast East Coast

Throttling, Over 300 Control 9-12 hr lead

Post-Delivery Analysis & Interaction

File Data Loss Envelope Safe Web AMP Mailbox Auto

Over 300 Delete or

Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption

Received Header Masquerading (Table / LDAP) Virtual Gateways

Default Domain LDAP Routing Delivery Limits

Domain Map Message Filters Received: Header

Recipient Access Table (RAT) Anti-Spam Domain-Based Limits

Alias Table Anti-Virus Domain-Based Routing

SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption

DKIM / SPF Verification Content Filtering DKIM Signing

DMARC Verification Outbreak Filtering Bounce Profiles

S/MIME Verification DLP Filtering (Outbound) Message Delivery

Host Access Table (HAT)

LDAP RCPT Accept

DKIM / SPF Verification

LDAP RCPT Accept (WQ)

Graymail, Safe Unsubscribe

DLP Filtering (Outbound)

ASYNCOS EMAIL PLATFORM

ASYNCOS EMAIL PLATFORM

SMTP Client flow SMTP CLIENT

• SMTP Client is responsible for message Virtual Gateways

stamping and delivery Delivery Limits

• Controlling delivery is important to ensure Received: Header

reputation on internet is maintained Domain-Based Limits

• Queueing and bounce controls are handled Domain-Based Routing

• Real-time insight into

§ Understanding of vulnerabilities and exploit

When enabled, the Context

is used to collect and report the

data (regardless of whether or not Obfuscated Filename(s): (b)

500 spam, 300 ham

information on how different types Count of different extension types

Black List Suspect Unknown