Preview Tool

Cisco Bug: CSCvh89091 - [EH] filter out certain spoofing attacks based on HELO when attacker uses an IP address in the HELO

Last Modified

Feb 12, 2018

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases


Description (partial)

Customer would like for the ESA to add the HELO identity as a separate header . Rather than including it with (Received-SPF header) header. To make it possible to filter on HELO identity.

Currently when a SPF/SIDF verification is on the ESA, it places an SPF/SIDF verification header ( Received-SPF ) in the email. The Received-SPF header contains the following information:

    verification result - the SPF verification result (see Verification Results).
    identity - the identity that SPF verification checked: HELO, MAIL FROM, or PRA.
    receiver - the verifying host name (which performs the check).
    client IP address - the IP address of the SMTP client.
    ENVELOPE FROM - the envelope sender mailbox. (Note that this may be different from the MAIL FROM identity, as the MAIL FROM identity cannot be empty.)
    x-sender - the value of the HELO, MAIL FROM, or PRA identity.
    x-conformance - the level of conformance (see Table - SPF/SIDF Conformance Levels ) and whether a downgrade of the PRA check was performed.

The following example shows a header added for a message that passed the SPF/SIDF check:

Received-SPF: Pass identity=pra;;

client-ip=; envelope-from="";

x-sender=""; x-conformance=sidf_compatible
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.