Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6828
Views
0
Helpful
5
Replies

How to block incoming mail with internal domain as sender

andrea.donaggio
Level 1
Level 1

‎09-18-2007 11:44 AM

Hi all,
Ironport accept incoming mail to internal domains defined in the RAT without verify the sender domain is the same internal domain.
To avoid this I have used a message filter to drop those mails. I can't use the bounce command to avoid to be considered a spammer.
Is there a way to reject those mails with a 5xx error message?
Thanks in advance.
Regards,
Andrea

Labels:
0 Helpful
5 Replies 5

jloehler_ironport
Level 1
Level 1

‎09-18-2007 11:57 AM

Hi Andrea,
do try to avoid domain spoofing? If so, think about using exception lists. Put your own domains in the exception with rject (you can define the errorcode) and activate the lists in the sendergroups.

That works fine for us.

Cheers,
Joerg

0 Helpful

jbivens_ironport
Level 1
Level 1

‎09-18-2007 01:25 PM

Securegroup,

jloehler is absolutely correct, when I configure appliances (personally I use a 1 listener config) I set the Default Mailflow Policy to Use the Exception Table ("On") and insure that all incoming mail policies (anything with the ACCEPT action) is set to "Use Default" for this parameter. Then I double check to insure that the RELAY policy is set to "Off" because you don't want to reject outbound messages due to the Exception Table.

Once I've verified that the RELAY is off and Inbound policies are "On" I then populate my exception table with all the internal domains and specify the reject action. Now a quick take away is that the Exception Table only performs the rejection based on the SMTP MAIL FROM not the "From:" header internal to the message itself.

Now with all that said it never fails that there is some internal group that uses 3rd party marketing which spoofs the internal domains so I usually create a new incoming mail flow policy with the Exception Table turned "Off" and create a Sender Group call DOMAINSPOOFLIST which are IPs and Domain names that I allow to spoof internal e-mail addresses with the new mail policy assigned to it.

And that's it.

Sincerely,

Jay Bivens
IronPort Systems

0 Helpful

andrea.donaggio
Level 1
Level 1

‎09-18-2007 02:00 PM

Thanks to all. It works :D
Regards,
Andrea

0 Helpful

oussamaghanem
Level 1
Level 1

‎06-07-2013 11:18 PM

there is another Solution,Tested successfully on my environment:

Add a new filter script to the ironport to drop such type of spoof attack

Use a terminal console session to access the Appliance

Filters

NEW

spoof: if (mail-from == "@Domain\\.com$")

and (rcpt-to =="@Domain\\.com$")

{

          drop();

}

.

Commit

.

0 Helpful

Enrico Werner
Cisco Employee
Cisco Employee

‎06-10-2013 03:57 AM

Here is some more information about the Anti-Spoofing message filter. The advantage here is that the filter is able to check on the 'From:' header. The exception list only checks data in the MAIL FROM  command.

Article #115: How do I stop people from spoofing mail from my domain? Link: http://tools.cisco.com/squish/D5D5E

Regards,

Enrico

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents