Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to create anti-spoof rules with exception

Hello all,

I'm a beginner with Ironport and I need to create rules for specific cases.

I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.

But I have some mail addresses with external applications that need to be send with my mail domains.

For example, I receive acknowledge mails sent with no-reply@example.com address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external no-reply@example.com mail will be dropped.

For example I tried this rule with no success :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
drop();
}
I tried this rule too :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^no-reply@example.com$") OR (mail-from !="^purchase-validation@domain2.com$") OR (mail-from !="@ack.mydomain.com$")){
drop();
}

Have you got any tips or advice to answer my funny case ?

2 REPLIES

Sender Verification Exception Table

Why not use Sender Verification Exception Table, works out pretty good for me. You can even build and MF policy if you want to allow any one to actually spoof your domain. ;-)

New Member

Re: How to create anti-spoof rules with exception

Hello,

We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)


Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
}


The one drawback is that we need to maintain the Dictionary "dict_internaldomains". If we forget to add a new domain to this list it will never be detected as spam.
A good new message filter functionality would be to be able to do a "mail-from-rat-match" which would allow you to use the RAT tables(s) as dictionary.

We plan to solve this by moving the RAT to LDAP and query that same LDAP as dictionary. (If only I had time to test it) :D

Good luck,

Steven

1373
Views
0
Helpful
2
Replies