Cisco ESA Bounce Verification

How Bounce Verification works on Cisco ESA Email to avoid the Denial of Service DOS of your email infrastructure.

The idea behind this kind of attack is that the attacker creates a message with the spoofed email address on a legitimate user inserted into the Envelop, under the From: Field, let’s say joe@lab.pub.

The MTAs located outside are not responsible of the lab.public domain and send a bounce message to the sender joe@lab.pub, the bounce messages will have know the RCPT field RCTP: joe@public, the Cisco ESA receives these bounce messages and propagated inside your email infrastructure, this is bad and useless thousand messages entering and bringing down your email infrastructur.

The Bounce Verification is very cool feature, the idea is to tell to Cisco ESA, for each outbound mail, tag the message, more precisely, modify the From field in the envelop, let’s say From: joe@lab.pub to From:pvrs=123ABC@lab.pub, the 123ABC represents the tag and is unique, how is it possible to have a unique tag for each user, the tag is calculated by hashing the user and domain portion and very important a secret key.

If illegitmate bounce messages is seen on the listener of the Cisco ESA with RCTP: joe@lab.pub, the Cisco ESA drops these messages because the TAG is missing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s