Best Practices Guide for Incoming and Outgoing Content Filters

Introduction

Content Filters allow you to inspect the intricate details of an Email and take Actions (or no Action) on the Email. Once the Incoming or Outgoing Content Filter is created, you apply it to an Incoming or Outgoing Mail Policy. When any Email matches the Content Filter, the "Content Filters" Report on the Cisco Email Security Appliance (ESA) and Security Management Appliance (SMA) will be able to show you all emails that matched any Content Filter. Therefore, even if no action is taken, it is an excellent way to obtain valuable information about the type of emails entering and leaving your organization - allowing you to “Pattern” your email flow.

As there are many different Content Filter "Conditions" and "Actions", this document will step you through some very common and recommended Incoming and Outgoing Content Filters.

Overview of steps

Step 1: Import the needed dictionaries

This document will provide the steps necessary for you to implement some Best Practices Incoming and Outgoing Content Filters. The Content Filters we are going to create will reference a few dictionaries - so we will need to import those dictionaries first. The ESA ships with the dictionaries and you merely need to import them into the configuration in order to reference them in the Content Filters we will create.

Step 2: Create Centralized Quarantines

For most of the Content Filters, we will create, we will set the "Action" to Quarantine the Email (or a copy of the Email) into a specified designated custom (new) Quarantines — and therefore, we need to first create those Quarantines on the SMA — as this document assumes you have enabled Centralized PVO (Policy, Virus, and Outbreak) Quarantines between the ESA and SMA.

Step 3: Create the Incoming and Outgoing Content Filters and Apply to Policies

Once we have the dictionaries imported and the Quarantines created, we will create the Inbound Content Filters and apply them to the Incoming Mail Policies and then create the Outgoing Content Filters and apply them to the Outgoing Mail Policies.

STEP 1: IMPORTING THE NEEDED DICTIONARIES

Importing the Dictionaries that we will be referencing in our Content Filters:

• On the ESA appliance, Navigate to "Mail Policies > Dictionaries"
• Click the “Import Dictionary” button on the right side of the page. 

Profanity:

• Select “Import from the configuration directory on your IronPort appliance”
• Select “profanity.txt” and click “Next”.
• Name: Profanity
• Click the “Match whole words” (VERY IMPORTANT)
• Modify the terms (add new terms or remove unwanted terms)
• Click "Submit"

Sexual Content:

• Select “Import from the configuration directory on your IronPort appliance” 
• Select the “sexual_content.txt” and click “Next”.
• Name: SexualContent
• Click the “Match whole words” (VERY IMPORTANT)
• Modify the terms (add new terms or remove unwanted terms)
• Click "Submit"

Proprietary:

• Select “Import from the configuration directory on your IronPort appliance” 
• Select the “proprietary_content.txt” and click “Next”.
• Name: Proprietary
• Click the “Match whole words” (VERY IMPORTANT)
• Modify the terms (add new terms or remove unwanted terms)
• Click "Submit"

STEP 2: CREATING THE CENTRALIZED QUARANTINES

• On the SMA, navigate to "Email Tab > Message Quarantine > PVO Quarantines"
• This is what the Quarantines table should look like before we start. All quarantines are default.

• Click the “Add Policy Quarantine…” button
• Create the below Quarantines. 
• Some will be used by Incoming Content Filters and some will be used by Outgoing Content Filters. You create them in the same manner.

• Here is how your PVO table should look after creating all of the PVO Quarantines.

STEP 3: CREATING THE INCOMING CONTENT FILTERS

Once the Dictionaries have been imported and the PVO Quarantines have been created, you can now start creating the Incoming Content Filters:

• Navigate to: "Mail Policies > Incoming Content Filters"
• Here is a table of Incoming Content Filters you should create. For example purposes, below the table is a screenshot exemplifying how to create the first one.

As an example, this is what the Bank_Data Content Filter should look like before you submit.

After creating all of the Incoming Content Filters, the table should now look like this:

Because the “Policies” function is selected (you will see the Policies hypertext at the top middle) the middle column shows the Incoming Mail Policies the Content Filter has been applied to. Because we have not applied them to any Incoming Mail Policy, the “Not in use” is displayed. 

Apply the Incoming Content Filters to the Incoming Mail Policies

• Navigate to: "Mail Policies > Incoming Mail Policies"
• Click on the “Disabled” text in the Content Filters cell for the "Default Policy".
• The pull-down menu button is set to “Disable Content Filters”.
• Click the button and set to “Enable Content Filters” and you will immediately be presented with all Incoming Content Filters that have been created.
• Enable all filters except the DKIM_Hardfail_Original, and Spoof_SPF_Failures.
• "Submit" and "Commit".

DKIM Verification for eBay & Paypal and Spoof Email Protection for your domain

Those two topics will involve Content Filters that utilize DKIM Verification and SPF Verification. Therefore, we must first ensure both DKIM and SPF Verification are enabled. 

1. Enable DKIM and SPF Verification within Mail Flow Policies

• Navigate to: "Mail Policies > Mail Flow Policies"
• Enable DKIM and SPF Verification within all Mail Flow Policies that have “Connection Behavior” of “Accept”.
• Click on the bottom hypertext “Default Policy Parameters” and set “DKIM Verification” to “On” and “SFP/SIDF Verification” to “On”.
• Click "Submit" and "Commit".
• You now see the Mail Flow Policies table. Look at the column named “Behavior” and edit any Mail Flow Policy with the Behavior set to “Relay” 
• Turn “Off” both DKIM and SPF Verification for those Mail Flow Policies. 
• Click "Submit" and "Commit".

We do not want the ESA to perform DKIM or SPF verification for email received into the ESA from your Exchange Mail Server heading outbound. In most configurations, the “RELAYED” Mail Flow Policy is the only row with the Behavior of Relay.

2. Create a new Incoming Mail Flow Policy for eBay and Paypal

Inbound Email received from eBay and Paypal should always pass DKIM verification. We will, therefore, create another Incoming Mail Policy to use the DKIM_Hardfail_Original Incoming Content Filter for an email from those domains.

• Navigate to: "Mail Policies > Incoming Mail Policies"
• Click the "Add Policy" button. 
• Enter the Name: "DKIM Hardfail Original"
• Click the “Add User…” button.

The next configuration panel lets you define what messages will match this new Incoming Mail Policy. We only want to define the criteria for the Sender (the left portion of the configuration panel). 

• Click “Following Senders” radio button and in the Email Addresses table enter “@ebay.com, @paypal.com” 

• Click the “Ok” button at the bottom. 
• Click "Submit".

3. Create a new Incoming Mail Flow Policy for Your Domain (Spoof Protection)

The steps in this section will allow you to take action on Incoming email that has a From email address of your own domain and that are failing SPF verification. Of course, this relies on you having already published your SPF Text Record in DNS. Skip these steps if you have not created/published an SPF Text Resource record for your domain.

• Navigate to: "Mail Policies > Incoming Mail Policies"
• Click the "Add Policy" button. 
• Enter the Name: "Spoof_Protection"
• Click the “Add User…” button.

The next configuration panel lets you define what messages will match this new Incoming Mail Policy row. You only want to define the criteria for the Sender (which is the left portion of the configuration panel). 

• Click the “Following Senders” radio button and then enter your domain in the “Email Address:” text box. For me, my domain is “@unc-hamiltons.com” 

• Click "Submit".

You are presented with the Incoming Mail Policies table again but now you have a second new Mail Policy row above the Default Policy. 

• Click the (use default) hypertext in the Content Filters cell for the new row. 
• Flip the pull-down menu to “Enable Content Filters (Customized Settings)”.
• Check the “Spoof_SPF_Failures” also ensure both "DKIM_Hardfail_Copy" and "DKIM_Hardfail_Original" are not checked. 
• Click "Submit" and "Commit changes".

The Incoming Mail Policies table should now look like this:

STEP 4: CREATING THE OUTGOING CONTENT FILTERS

• Navigate to: "Mail Policies > Outgoing Content Filters"
• Here is a table of Outgoing Content Filters you should create.

Because the “Policies” function is selected (you will see the Policies hypertext at the top middle) the middle column shows the Outgoing Mail Policies the Content Filter has been applied to. Because we have not applied them to any Outgoing Mail Policy, the “Not in use” is displayed. 

• Navigate to: "Mail Policies > Outgoing Mail Policies"
• Click on the “Disabled” text in the Content Filters cell for the Default Policy.
• The pull-down menu button is set to “Disable Content Filters”.
• Click the button and set to "Enable Content Filters" and you will immediately be presented with all Outgoing Content Filters that have been created. 
• "Enable" all filters. 
• "Submit" and "Commit".

Summary

You have now implemented initial Best Practices for Incoming and Outgoing Content Filters. Most (not all) Content Filters used the Quarantine Action and elected to check (Enable) the “Duplicate message” option - which merely places a copy of the Original Email and did not prevent the email from being delivered. The intent of these Content Filters is to allow you to gather information about the types of emails flowing Inbound and Outbound to your company.

Having said that, after running the Content Filters report and looking over the email copies saved in the quarantines, it may be prudent to uncheck the “Duplicate message” checkbox option and thereby start placing the original email into the quarantine instead of a copy/duplicate.