Anti-spoofing rule

Unanswered Question
Apr 5th, 2007
User Badges:

I am trying to create a antispoofing rule using message filter feature.

It is like

if ( header("from") == "@*mydomain\\.com$" ) { apply anti-spoofing rules here; }

But the rough part is to be able to whitelist certain hosts, e.g., our partners.

For example:

AND ( header("Received") != "whitelist1|whitelist2...." )

Is there a better way to do this? My concern is that this will get very long and error prone over time.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sseinfosec Thu, 04/05/2007 - 16:16
User Badges:

I think the question is "what are you trying to achieve?"

jaigill Thu, 04/05/2007 - 18:58
User Badges:
  • Cisco Employee,

What if you add all your partner ip addresses/domains to a sendergroup called 'partner_whitelist'.

Next, you can modify your existing filter to bypass spoofing checks from partner domains:

if (( header("from") == "@*mydomain\\.com$" ) AND (sendergroup != 'partner_whitelist'))
{ apply anti-spoofing rules here; }

dbeste_ironport Fri, 04/06/2007 - 15:17
User Badges:

I would also have a look at Knowledge Base Article 115. this describes some of the risks and gives a short explanation. You will find a short filter, too.


jack_ironport Mon, 04/09/2007 - 20:51
User Badges:

I forget to mention these boxes are not internet facing. Has anyone tried to use the dictionary?


This Discussion