Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2631
Views
0
Helpful
2
Replies

How to create anti-spoof rules with exception

AshragorX_ironport
Level 1
Level 1

‎09-30-2009 05:51 PM

Hello all,

I'm a beginner with Ironport and I need to create rules for specific cases.

I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.

But I have some mail addresses with external applications that need to be send with my mail domains.

For example, I receive acknowledge mails sent with no-reply@example.com address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external no-reply@example.com mail will be dropped.

For example I tried this rule with no success :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
drop();
}
I tried this rule too :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^no-reply@example.com$") OR (mail-from !="^purchase-validation@domain2.com$") OR (mail-from !="@ack.mydomain.com$")){
drop();
}

Have you got any tips or advice to answer my funny case ?

Labels:
0 Helpful
2 Replies 2

SPAMHater_ironport
Level 1
Level 1

‎09-30-2009 09:48 PM

Why not use Sender Verification Exception Table, works out pretty good for me. You can even build and MF policy if you want to allow any one to actually spoof your domain. ;-)

0 Helpful

steven_geerts
Level 1
Level 1

‎10-30-2009 10:09 PM

Hello,

We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)


Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
                          insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
                      }


The one drawback is that we need to maintain the Dictionary "dict_internaldomains". If we forget to add a new domain to this list it will never be detected as spam.
A good new message filter functionality would be to be able to do a "mail-from-rat-match" which would allow you to use the RAT tables(s) as dictionary.

We plan to solve this by moving the RAT to LDAP and query that same LDAP as dictionary. (If only I had time to test it) :D

Good luck,

Steven

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents