Every email admin most likely has seen one way or another of tagging external emails. While this sound like a very easy task there are some pitfalls to avoid. This blog article consist is the second part of covering some options for customer headers or how Cisco calls them disclaimers.
While we have been very successful with our basic headers there is warning I need to mention. Overtime it appears that our user base started to ignore those additional disclaimer warnings as they have been added to every external message. While I will still give you all the pieces to make such headers work using the Ironport only,, there will be later blog on how to leverage Ironport X-headers and Office 365 mail rules to get the best out of two worlds.
Lets start by with a very basic red line on top off all incoming messages like in the following example:
In the first part I have outlines why using a content filter is not a good and consistent solution so the same rules apply here. Inserting a body part into an existing message breaks every possible hashes and signatures. Therefor special care needs to be taken again for such messages.
There will be some very isolated cased where an HTML message is constructed in away that a new text or HTML block can not be inserted on top of the message. This happens very rarely but in such cases the disclaimer will either be only text based , will be attached as the last object or can not be inserted at all :
We will be using again the CLI message filter interface to add a filter behind our existing filter to modify the subject.
Before we start we will need to do some preparation work.
Just go into the GUI section Mail Polices \ Dictionary and add another new dictionary and give it an appropriate name like WhiteListExtHeader. Deselect any of the two advanced matching options and you might wanna add again a dummy email address for testing purposes like your personal gmail account. Don't forget to submit and commit the dictionary.
Beside this we will need to create a disclaimer and to do this we will use the Mail Policies \ Text Resources options. Create a new text resource and select type disclaimer template:
Copy the text as displayed in the following screen copy. We will leverage some very basic HTML code in this first example, just enough to make text bold and turn it red. Make sure to select the "<>" Code View button prior to entering the text. The Ironport does the heavy lifting an will recommend a text which will be inserted into messages which come in a TXT only, so HTML will not work. The drawback is as mentioned that you can not change the size or color of this text.
Checking the preview option should then display something like this:
Now it is up to you to change the text and message as you please.
Once you are happy with the result you need to create an additional message filter on the CLI, after the existing filter created in part 1 of this blog.
Go into the CLI again, enter "filters" , select new and copy below filter:
CLITagExtDefaultHeader: if recv-listener == "InboundInterface" {
if (NOT (attachment-filename== "smime.p7s")) OR (attachment-filename== "smime.p7m") {
if NOT (mail-from-dictionary-match("ourGroupDomains", 1)) {
if NOT (mail-from-dictionary-match("WhiteListExtHeader", 1)) {
log-entry("--CLITagExternalHeader_Default--");
add-heading("External_Warning");
}
}
}
}
end the filter with "." on a new line. After exiting the filter option on CLI make sure to submit your changes using commit.
Now it is time to test. You will quickly realize that the text block looks kind of boring and other senders have nicer disclaimers. We do not want to hold back here and I have created an extended version of such a disclaimer to share:
The preview just shows you a more appealing version of the disclaimer below:
To make it a bit easier I just copied the full HTML code here so you can start using it as a template:
<div id="demo"><br>
<table style="width: 100%; border-collapse: collapse; border-style: double; background-color: lightblue;" border="0">
<tbody>
<tr>
<td style="width: 7.89478%; text-align: center;"><strong> !!! <br></strong></td>
<td style="width: 92.1054%;"><strong>Caution</strong>: This email originated from outside the organization and is a trusted sender acting in our behalf, You can click on included links or open attachments unless you don't recognize them. If you have concerns about this email, send it as an attachment to ‘phishing@xxxxx.com</td>
</tr>
</tbody>
</table>
</div>
This completes the second part of the external tagging series, and hopefully you got some new ideas.
Another task completed in the life of an email admin.