How to block incoming mail with internal domain as sender

Unanswered Question
Sep 18th, 2007

Hi all,
Ironport accept incoming mail to internal domains defined in the RAT without verify the sender domain is the same internal domain.
To avoid this I have used a message filter to drop those mails. I can't use the bounce command to avoid to be considered a spammer.
Is there a way to reject those mails with a 5xx error message?
Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jloehler_ironport Tue, 09/18/2007 - 11:57

Hi Andrea,
do try to avoid domain spoofing? If so, think about using exception lists. Put your own domains in the exception with rject (you can define the errorcode) and activate the lists in the sendergroups.

That works fine for us.


jbivens_ironport Tue, 09/18/2007 - 13:25


jloehler is absolutely correct, when I configure appliances (personally I use a 1 listener config) I set the Default Mailflow Policy to Use the Exception Table ("On") and insure that all incoming mail policies (anything with the ACCEPT action) is set to "Use Default" for this parameter. Then I double check to insure that the RELAY policy is set to "Off" because you don't want to reject outbound messages due to the Exception Table.

Once I've verified that the RELAY is off and Inbound policies are "On" I then populate my exception table with all the internal domains and specify the reject action. Now a quick take away is that the Exception Table only performs the rejection based on the SMTP MAIL FROM not the "From:" header internal to the message itself.

Now with all that said it never fails that there is some internal group that uses 3rd party marketing which spoofs the internal domains so I usually create a new incoming mail flow policy with the Exception Table turned "Off" and create a Sender Group call DOMAINSPOOFLIST which are IPs and Domain names that I allow to spoof internal e-mail addresses with the new mail policy assigned to it.

And that's it.


Jay Bivens
IronPort Systems

oussamaghanem Fri, 06/07/2013 - 23:18

there is another Solution,Tested successfully on my environment:

Add a new filter script to the ironport to drop such type of spoof attack

Use a terminal console session to access the Appliance



spoof: if (mail-from == "@Domain\\.com$")

and (rcpt-to =="@Domain\\.com$")







Enrico Werner Mon, 06/10/2013 - 03:57

Here is some more information about the Anti-Spoofing message filter. The advantage here is that the filter is able to check on the 'From:' header. The exception list only checks data in the MAIL FROM  command.

Article #115: How do I stop people from spoofing mail from my domain? Link:




This Discussion