Guest

Preview Tool

Cisco Bug: CSCvs73812 - Additional characters in From header with multiple email address bypass FED

Last Modified

Mar 02, 2020

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases

13.0.0-305

Description (partial)

Symptom:
From headers containing multiple email addresses with additional characters are not detected as FED violations.

With a dictionary containing the term "Patrick Koller" is used, the following headers will not be detected as a FED violation:

From: "patrick.koller@pqr.com VNM" <spam.host@domain.com>
From: "patrick.koller@pqr.com A" <spam.host@domain.com>

While the below would trigger as expected.

From: "patrick.koller@pqr.com" <spam.host@domain.com>
From: "patrick koller VNM" <spam.host@domain.com>

Conditions:
ESA with Async OS 13 configured with content filter with forged email detection condition.
Email passed through the ESA with From header containing multiple email addresses and an additional character in the display name.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.