09-30-2009 05:51 PM
Hello all,
I'm a beginner with Ironport and I need to create rules for specific cases.
I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.
But I have some mail addresses with external applications that need to be send with my mail domains.
For example, I receive acknowledge mails sent with no-reply@example.com address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external no-reply@example.com mail will be dropped.
For example I tried this rule with no success :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
drop();
}
I tried this rule too :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^no-reply@example.com$") OR (mail-from !="^purchase-validation@domain2.com$") OR (mail-from !="@ack.mydomain.com$")){
drop();
}
Have you got any tips or advice to answer my funny case ?
09-30-2009 09:48 PM
Why not use Sender Verification Exception Table, works out pretty good for me. You can even build and MF policy if you want to allow any one to actually spoof your domain. ;-)
10-30-2009 10:09 PM
Hello,
We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)
Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
}
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide