spoofed email address

Unanswered Question
Sep 22nd, 2008

How do I prevent someone from spoofing my email address back to my domain?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Mon, 09/22/2008 - 23:58

You can create an incoming content filter that detects if the Envelope Sender is from your domain and then the action can be to quarantine it to the "Policy" quarantine.

The filter will look like this:


Filter Name: Send-spoofed-domains-to-Policy-quarantine

Conditions:
mail-from == "@yourdomain.com$"

Actions:
quarantine ("Policy")


Once you've created the incoming content filter, go to "Mail Policies > Incoming Mail Policies". Click on the "Content filter" for the Default policy and enable the filter.

So, what this will do is detect if the FROM address is coming from your domain and if so, send it to the Policy quarantine(Monitor > Quarantine) so that the administrator can inspect it at a later time and release them if needed.


How do I prevent someone from spoofing my email address back to my domain?
arnaudbesnard Thu, 09/25/2008 - 12:13

Hi,

The problem of this previous solution is that the size of policy quarantine is very small. And a lot of email spoofing are detected. For me there is no sense to stock invalid email.

You can enable your domain in the part "Exception table" and you can customize the sending answer after detecting spoof domain. You can choose also do not send a feedback to sender server.

I think that this procedure is more stable and none effects appear on the treatment of appliance.

buzz_ironport Thu, 09/25/2008 - 15:57

Hi

for a small amount of domains its possible to make some rules
in Content Filter.
But if you have many Incoming Policies with couple of hundred Domains
to Manage it will be difficult.

we have same problem.


Buzz

Donald Nash Fri, 09/26/2008 - 17:42

But if you have many Incoming Policies with couple of hundred Domains to Manage it will be difficult.

You can hold the list of your own domains in either a content dictionary or an LDAP directory. Either way will prevent you from having to modify the content filter each time you need to change the list.
oukjohna_ironport Tue, 09/30/2008 - 18:42

This is what I mean by spoof email, for example, lets say someone is using my email address to send to someone else and I would get an undelivered from the mail deivery system or administrator.

See below:

Mail Delivery System [mailto:[email protected]]
Sent: Tuesday, September 23, 2008 2:47 PM
To: [email protected]
Subject: Undelivered Mail Returned to Sender

This is the mail system at host mx1.dvknet.ru.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

I never sent an email to mx1.dvknet.ru.

How do i prevent this or block it on the IronPort?

kluu_ironport Tue, 09/30/2008 - 19:49

Sounds like you would benefit from the "bounce verification" feature of the AsyncOS.

Go to the Support Portal and download a copy of the AsyncOS Advanced User Guide. Search for "IRONPORT BOUNCE VERIFICATION" and it will explain this feature in more detail.

To use bounce verification, you'll need to make sure outbound messages going to the Internet go through the IronPort appliance. This is needed so that the IronPort can "stamp" the outgoing message so that it will know that it was the system that delivered the message. Then, when bounce message comes back, the IronPort will look for that stamp.

If it finds the stamp on the bounce message, then it'll know it was the original sender of the message.

If there's no stamp, then it's a fake bounce and you can act accordingly for a fake bounce. The Advanced User Guide goes into more detail.

Let me know if this feature would help you.

-kevin


This is what I mean by spoof email, for example, lets say someone is using my email address to send to someone else and I would get an undelivered from the mail deivery system or administrator.

See below:

Mail Delivery System [mailto:[email protected]]
Sent: Tuesday, September 23, 2008 2:47 PM
To: [email protected]
Subject: Undelivered Mail Returned to Sender

This is the mail system at host mx1.dvknet.ru.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

I never sent an email to mx1.dvknet.ru.

How do i prevent this or block it on the IronPort?

Actions

This Discussion