This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Custom Signature for Email Headers

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Signature for Email Headers

clewis1
L3 Networker

‎06-01-2016 10:29 AM

I am trying  to create a custom signature with the purpose of preventing malicious/phishing/spam emails with the firewall before it hits our mail gateway. For the most part we have been successful with this technique but I am struggling with creating a signature to essentially work as a wildcard. If anyone could take a look at my scenario and provide any feedback it would be much appreciated. Below is my example:

 

Scenairo: we are receiveing unwanted emais from the following email address

scanner@abc.domain.com

scanner@abcd.domain.com

scanner@abcde.domain.com

scanner@aaa.domain.com

scanner@bbb.domain.com

scanner@ccc.domain.com

 

As you can see the consistent parts of this type email campaign is the scanner@abc.domain.com. I am hoping to come up with a signature using email headers to wildcard the 'abc, abcd,abcda, etc'  as I dont want to be writing individual signatures for each sub domain as this could include upto 15 different representations of 'abc'.

 

I thought this would work scanner@(.*)(\.domain\.com) but does not appear to be the case.pic.PNGpic.PNGpic.PNG

0 Likes Likes
6 REPLIES 6

rcole
L4 Transporter

‎06-01-2016 11:03 AM

Good afternoon!

 

I would try:

 

scanner@[a-z]+\.domain\.com

 

This operates under the assumption that the child domain under domain.com consists of any number of the characters a-z.

0 Likes Likes

clewis1
L3 Networker
In response to rcole

‎06-02-2016 07:25 AM

Thanks rcole. I will give this a shot.

0 Likes Likes

clewis1
L3 Networker
In response to rcole

‎06-02-2016 07:57 AM

Unfortunately this signature did not work either.

0 Likes Likes

rcole
L4 Transporter
In response to clewis1

‎06-02-2016 08:02 AM

Hi clewis.

 

I tested this signature in a lab with every variant of the domain you provided, and it triggered in each instance.

 

Do you have a packet capture of the offending traffic?

0 Likes Likes

jambulo
L4 Transporter
In response to rcole

‎06-08-2016 01:32 PM

I've been using this method for a while successfully...

 email-sig.PNG

0 Likes Likes

clewis1
L3 Networker
In response to rcole

‎06-15-2016 03:56 AM

I think I may be having an issue with decryption which may be casuing the issue. Just getting back around to looking at this one

0 Likes Likes
  • 6445 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks