https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/79024#M101 <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">Hi clewis.</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">&nbsp;</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">I tested this signature in a lab with every variant of the domain you provided, and it triggered in each instance.</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">&nbsp;</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">Do you have a packet capture of the offending traffic?</P> Thu, 02 Jun 2016 15:02:14 GMT rcole 2016-06-02T15:02:14Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/78952#M94 <P>I am trying &nbsp;to create a custom signature with the purpose of preventing malicious/phishing/spam emails with the firewall before it hits our mail gateway. For the most part we have been successful with this technique but I am struggling with creating a signature to essentially work as a wildcard. If anyone could take a look at my scenario and provide any feedback it would be much appreciated. Below is my example:</P> <P>&nbsp;</P> <P>Scenairo: we are receiveing unwanted emais from the following email address</P> <P>scanner@abc.domain.com</P> <P>scanner@abcd.domain.com</P> <P>scanner@abcde.domain.com</P> <P>scanner@aaa.domain.com</P> <P>scanner@bbb.domain.com</P> <P>scanner@ccc.domain.com</P> <P>&nbsp;</P> <P>As you can see the consistent parts of this type email campaign is the <FONT color="#ff0000"><SPAN style="line-height: normal;">scanner</SPAN></FONT>@abc.<FONT color="#FF0000">domain.com<FONT color="#000000">. I am hoping to come up with a signature using email headers to wildcard the '</FONT>abc, abcd,abcda, etc<FONT color="#000000">' &nbsp;as I dont want to be writing individual signatures for each sub domain as this could include upto 15 different representations of 'abc'. </FONT></FONT></P> <P>&nbsp;</P> <P><SPAN><FONT color="#FF0000"><FONT color="#000000">I thought this would work&nbsp;<FONT color="#FF0000">scanner@(.*)(\.domain\.com)</FONT> but does not appear to be the case.</FONT></FONT></SPAN><SPAN><FONT color="#FF0000"><FONT color="#000000"><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="pic.PNG" style="width: 472px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4245iB993DF10D0B36DAC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="pic.PNG" alt="pic.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="pic.PNG" style="width: 472px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4245iB993DF10D0B36DAC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="pic.PNG" alt="pic.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="pic.PNG" style="width: 472px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4245iB993DF10D0B36DAC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="pic.PNG" alt="pic.PNG" /></span></FONT></FONT></SPAN></P> Wed, 01 Jun 2016 17:29:05 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/78952#M94 clewis1 2016-06-01T17:29:05Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/78959#M95 <P>Good afternoon!</P> <P>&nbsp;</P> <P>I would try:</P> <P>&nbsp;</P> <P>scanner@[a-z]+\.domain\.com</P> <P>&nbsp;</P> <P>This operates under the assumption that the child domain under domain.com consists of any number of the characters a-z.</P> Wed, 01 Jun 2016 18:03:23 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/78959#M95 rcole 2016-06-01T18:03:23Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/79018#M99 <P>Thanks&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/28524" target="_blank">rcole</A>. I will give this a shot.</P> Thu, 02 Jun 2016 14:25:52 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/79018#M99 clewis1 2016-06-02T14:25:52Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/79023#M100 <P>Unfortunately this signature did not work either.</P> Thu, 02 Jun 2016 14:57:33 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/79023#M100 clewis1 2016-06-02T14:57:33Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/79024#M101 <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">Hi clewis.</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">&nbsp;</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">I tested this signature in a lab with every variant of the domain you provided, and it triggered in each instance.</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">&nbsp;</P> <P style="font: 14px/20px Lato, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; margin: 0px; padding: 0px; color: rgb(51, 51, 51); text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; widows: 1; font-size-adjust: none; font-stretch: normal; -webkit-text-stroke-width: 0px;">Do you have a packet capture of the offending traffic?</P> Thu, 02 Jun 2016 15:02:14 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/79024#M101 rcole 2016-06-02T15:02:14Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/80454#M103 <P>I've been using this method for a while successfully...</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="email-sig.PNG" style="width: 483px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4351i23DBA05CB32EC5B5/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="email-sig.PNG" alt="email-sig.PNG" /></span></P> Wed, 08 Jun 2016 20:32:19 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/80454#M103 jambulo 2016-06-08T20:32:19Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/86795#M104 <P>I think I may be having an issue with decryption which may be casuing the issue. Just getting back around to looking at this one</P> Wed, 15 Jun 2016 10:56:35 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-email-headers/m-p/86795#M104 clewis1 2016-06-15T10:56:35Z