Cisco 300-720 - Securing Email with Cisco Email Security Appliance (300-720 SESA)

End user safelist is a feature that allows end users to specify email addresses or domains that they want to receive messages from, regardless of the spam verdict or action assigned by Cisco ESA. Messages from senders on the end user safelist are delivered to the end user’s inbox without any spam filtering.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 10-13.

To ensure that executive messages are originating from legitimate sending addresses, the administrator must take two steps:

Create an incoming content filter with the Forged Email Detection condition. This will allow the administrator to detect and block messages that have a forged “From: header” that matches or is similar to any of the names in a content dictionary.

Create a content dictionary including a list of the names that are being spoofed. This will allow the administrator to specify the names of the executives that are being targeted by spoofing attacks and use them in the Forged Email Detection condition. The other options are not relevant or sufficient for this task. References: [Cisco Secure Email Gateway Administrator Guide - Forged Email Detection] and [Cisco Secure Email Gateway Administrator Guide - Creating Content Dictionaries]

Non-final actions are actions that do not terminate the message filter evaluation, such as adding headers, setting variables, logging, etc. Final actions are actions that end the message filter evaluation and determine the fate of the message, such as accept, drop, bounce, quarantine, etc.

References: User Guide for AsyncOS 15.0 for Cisco Secure Email Gateway, page 3-4.

LDAP acceptance validation is a feature that allows the Cisco Secure Email Gateway to check if the recipient address of an incoming message exists in an LDAP directory before accepting it. This feature can help prevent spammers from sending emails with invalid recipient addresses and reduce the load on the appliance2. References = User Guide for AsyncOS 12.0 for Cisco Email Security Appliances - GD (General Deployment) - Configuring LDAP Queries [Cisco Secure Email Gateway] - Cisco

To meet the requirement of ensuring that emails received by company users that contain URLs do not make them susceptible to data loss from accessing malicious or undesired external content sources, the administrator must configure two features on Cisco Secure Email Gateway: antispam scanning and URL filtering. Antispam scanning can block or quarantine messages that are identified as spam based on various criteria, such as sender reputation, message content, and message headers. URL filtering can rewrite or defang URLs in messages that are associated with malicious or undesirable websites, such as phishing, malware, adult, or gambling sites. References: [Cisco Secure Email Gateway Administrator Guide - Configuring Antispam Scanning] and [Cisco Secure Email Gateway Administrator Guide - Configuring URL Filtering]

Disabling the Local Spam Quarantine to Activate the External Quarantine If you were using a local spam quarantine before enabling an external spam quarantine, you must disable the local quarantine in order to send messages to the external quarantine. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0101010.html?bookSearch=true#con_1172419

To use DKIM for outbound email, the administrator must export the DNS TXT record from the Cisco Secure Email Gateway and provide it to the DNS registrar of the domain. This will allow the recipient servers to verify the DKIM signature of the email by querying the DNS record of the sender domain. References: [Cisco Secure Email Gateway Administrator Guide - Configuring DKIM Signing]

To combat backscatter, which is a type of spam that consists of bounce messages sent to forged sender addresses, the administrator must enable the Bounce Verification feature under Security Settings. This feature allows the appliance to verify whether a bounce message is legitimate or not by checking if the original message was sent from the appliance. If not, the bounce message is considered as backscatter and can be dropped or quarantined. References: [Cisco Secure Email Gateway Administrator Guide - Configuring Bounce Verification]

The default behavior of any listener for TLS communication is B. off. This means that TLS is not allowed for incoming connections to the listener and connections to the listener do not require encrypted Simple Mail Transfer Protocol (SMTP) conversations. This is stated in the web search result 1. To enable TLS for a listener, you need to configure the Use TLS option in the mail flow policy settings for the listener on the Mail Policies > HAT Overview page1. You can choose from three different settings for TLS: No, Preferred, or Required1.