Anti-spoofing rule

jack_ironport · ‎04-05-2007

I am trying to create a antispoofing rule using message filter feature.

It is like

if ( header("from") == "@*mydomain\\.com$" ) { apply anti-spoofing rules here; }

But the rough part is to be able to whitelist certain hosts, e.g., our partners.

For example:

AND ( header("Received") != "whitelist1|whitelist2...." )

Is there a better way to do this? My concern is that this will get very long and error prone over time.

Thanks,
Jack

sseinfosec · ‎04-05-2007

I think the question is "what are you trying to achieve?"

jaigill · ‎04-05-2007

What if you add all your partner ip addresses/domains to a sendergroup called 'partner_whitelist'.

Next, you can modify your existing filter to bypass spoofing checks from partner domains:

if (( header("from") == "@*mydomain\\.com$" ) AND (sendergroup != 'partner_whitelist'))
{ apply anti-spoofing rules here; }

dbeste_ironport · ‎04-06-2007

I would also have a look at Knowledge Base Article 115. this describes some of the risks and gives a short explanation. You will find a short filter, too.

Dirk

jack_ironport · ‎04-09-2007

I forget to mention these boxes are not internet facing. Has anyone tried to use the dictionary?

jaigill · ‎04-10-2007

Dictionary matching should work as well.

This following example matches an email address in the “to” header and blind copies an administrator:

headerTest:
if (header-dictionary-match ('', 'to')){
bcc('administrator@example.com');
}