LevelBlue Named Official Cybersecurity Advisor of the PGA of America. Learn more

LevelBlue Named Official Cybersecurity Advisor of the PGA of America. Learn more

Services
Cyber Advisory
Managed Cloud Security
Data Security
Managed Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and build resilience
Awards and Accolades
The most recognized cybersecurity leader
LevelBlue SpiderLabs
Elite global threat experts and intelligence
PGA of America Partnership
Cybersecurity at the championship level
Secure What's Next
Future-proof your organization
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Cybersecurity threat protection resources
Partners
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
Loading...
Loading...

LevelBlue Knowledge Base

Home » Knowledgebase » MailMarshal (SEG) » HOWTO: How do I block Out of Office Assistant (OOA) messages sent...

HOWTO: How do I block Out of Office Assistant (OOA) messages sent to a mail server that holds the messages for a time before sending an NDR back to the internal mail server?

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • MailMarshal (SEG)

Question:

How do I block Out of Office Assistant (OOA) messages sent to a mail server that holds the messages for a time before sending an NDR back to the internal mail server?

Procedure:

Before proceeding with the following you will need to have analyzed the message (.mml) in question for unique text that you can search for in the body.  It can be different from environment to environment, but in the following example we knew what the Helo Name of our internal mail server was and what the subject of an email that was sent out by the OOA was.  We also knew that if it had both of these in the Message Body and/or the Message Text then we would know that we could block only these types of NDRs.

  • Unique Helo Name = test.example.com
  • Unique text in the subject line = subject: out of office autoreply:
  1. Create the new TexCensor script called Block OOA NDRs.
    • The TC script needs to search the MsgBody and Attachments only.
    • The following line item needs to be added to the TC script:
      • Unique Helo Name AND Unique Text in the Subject line:
        • Example: "test.example.com AND subject: out of office autoreply:"
        • Weighting = 5
        • Weighting type = once only
  2. Create a new Content Analysis rule to use the TextCensor script.
    • Initially, you will want to monitor the OOA NDRs folder to be sure that it is capturing the intended problem emails.

Example:
Rule: Block OOA NDRs
When a message arrives
Where message is incoming
Where message triggers text censor script(s) 'Block OOA NDRs'
Move the message to 'OOA NDRs'

This article was previously published as:
NETIQKB37658

To contact LevelBlue about this article or to request support:

Rate this Article:
     
Tags:

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster.


Execution: 0.063. 8 queries. Compression Disabled.
Powered by InstantKB.NET