cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

How to limit or alert based on the number of recipients in a single message MEG7.5

Jump to solution

We have had several phishing attacks where internal email accounts are compromised.  The attackers then use OWA to start spamming.  We usually only identifty this after 1000s of emails have gone out and we have neeb grey or black listed.  When we had Ironmail we could alert and quarantine emails with too many recipients (like 50).  We cannot see how to do that with MEG 7.5.  Does anyone know how to do this, or at least get an alert at the icreasing traffic?

We setup up directory harvesting protection but that only kicks in after emails are getting rejected and  by then we are listed

Thanks in advance

1 Solution

Accepted Solutions
Highlighted

Re: How to limit or alert based on the number of recipients in a single message MEG7.5

Jump to solution

Hi joe.lusk,

You can do this if you treat such messages with a large number of recipients as a compliance violation. You can define a dictionary in MEG under DLP Compliance that matches for e-mail addresses (a regex will do this), and define this dictionary as score-based.

On your outgoing policy, you can set compliance to trigger and quarantine if a given message has over a certain number of email addresses in the Envelope To field, according to what you think is an ideal threshold, and set this policy to accept and drop (silent block) and quarantine the actual message.

Hope this helps.

View solution in original post

2 Replies
Highlighted

Re: How to limit or alert based on the number of recipients in a single message MEG7.5

Jump to solution

Hi joe.lusk,

You can do this if you treat such messages with a large number of recipients as a compliance violation. You can define a dictionary in MEG under DLP Compliance that matches for e-mail addresses (a regex will do this), and define this dictionary as score-based.

On your outgoing policy, you can set compliance to trigger and quarantine if a given message has over a certain number of email addresses in the Envelope To field, according to what you think is an ideal threshold, and set this policy to accept and drop (silent block) and quarantine the actual message.

Hope this helps.

View solution in original post

Highlighted

Re: How to limit or alert based on the number of recipients in a single message MEG7.5

Jump to solution

Interesting way to accomplish this but it does work.  The Cisco Ironport adds a feature to aslo look for the total number of recipeimts from a sender over a period of time.  This way someone can do a mass emailing once in a while, but if we get a bunch all in a short span we can block/quarantine it.  Is there anything like that in the MEG?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community