sender check for outgoing mail

Unanswered Question
Apr 27th, 2010
User Badges:

Hi,


I want to enabled sender check on all outgoing mail. i.e ironport should check if the from address is listed in my ldap.


This is required because spammer is sending mails by compromising legitimate users credentials and sending mail through out setup.


all the spam mails which are quarantine on ironport are having invalid from addresses.



Thanks in advance.


Regards,

HOmesh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pirato1428 Wed, 04/28/2010 - 07:31
User Badges:

I am not sure if you can use ldap to verify users, but I know you can enable sender verification on your $RELAYED mail flow policy. This will check for you if the mail from address is from a i) valid domain ii) domain is resolvable and iii) mailformed address. This works in most situation and would work for, unless of course the spammer are actually using your real domain with invalid users.


thinking on top of my head you probably could use a content filter with an ldap, and say if mails are not from any of your users (or groups). just drop the mails. This of course has perfomance impact. If you go this route you just make sure its an outgoing mail content filter. and please test before implementing


regards

spangler79 Wed, 04/28/2010 - 07:42
User Badges:

We use an LDAP Group lookup from our IronPort appliance against our LDAP directory to achieve this and it works very well... we only allow some addresses to send outbound email. We call the ldap group query from an outgoing mail policy. If the sender doesn't match that policy it falls through to the default policy which bounces the email. You can use additional policies higher up the priority list to allow any other type of mail you want to allow.


I'd think you should also review your mail policies further and close your open relay hole.

Jussi Torhonen Fri, 04/30/2010 - 04:41
User Badges:

Deploying SPF (Sender Policy Framework) might decrease such incoming mail traffic using your email domain namespace as forged senders in SMTP envelopes.


http://en.wikipedia.org/wiki/Sender_Policy_Framework


To deploy SPF using it's most strictiest policy, you must be able to declare legimate sources where the mail from your domain can be originated from. Ip source addresses, netblocks, FQDN names, reverse domains, etc.


If you have one singe (or clustered) C-series mail router in DMZ and all the mail traffic from @yourdomain.com can be routed outbound fvia these C-series boxes only, then you can setup your SPF records that way, that only your C-series box(es) are legimate mail sources.


If you use RFC 1918 private addressing internally, that's it.


If you use public, routable ip addressing internally, you might need to add that network into your SPF record, but it depends how the mail traffic is routed there.


The configure your Ironport C-series appliances using SPF. If you have inbound forged mail coming in and if the source ip addr of SMTP peer is not listed in your SPF records and if you use strictiest SPF policy, your C-series appliance will reject these inbound connections.

Actions

This Discussion