Knowledgebase:
How to block Spoofing
Posted by Michael Filip, Last modified by Milan Sykora on 30 June 2017 01:27 AM

In some cases spambots may use a technique where the “SMTP From:” is different from “Sender” to mask the spoofed messages. See the example of SMTP session:

 

220 127.0.0.1 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200

helo mail.yourdomain.com

250 127.0.0.1 Hello spammer [127.0.0.1], pleased to meet you.

mail from: spammer@domain.com

250 2.1.0 <spammer@domain.com>... Sender ok

rcpt to:user@yourdomain.com

250 2.1.5 <user@yourdomain.com>... Recipient ok; will forward

data

354 Enter mail, end with "." on a line by itself

from: user@yourdomain.com

SOME DATA

.

250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery

 

The message is being delivered as from user@yourdomain.com:

 WebClient View

You can avoid this abusing behavior by creating a simple content filter in IceWarp Administration console - Mail -  Rules - Content Filters:

 

! Where Session is trusted

    AND ! Where From: message header matches %%Sender_Email%%

    AND ! Where SMTP AUTH

Reject message

 

NOTE: "AND ! Where SMTP AUTH" will let authenticated sessions in even when there's a spoofed From (which can be well the case in case of redirecting an email).

 

Mail from in SRS format

The above filter would cause false positives. Some recipients may want to receive these mails and whitelist the email address but the content filter will still block the email as the content filter action takes precedence over the AS B/W list result. Modify the filter slightly as follows:

! Where Session is trusted

     AND ! Where From: message header matches %%Sender_Domain%%

     AND ! Where SMTP AUTH

     AND ! Where SQL returns records SELECT * FROM Senders WHERE (SndEmail="%%Sender_Email%%" AND SndOwner="%%Recipient_Email%%") OR (SndeMail="%%Sender_Email%%" AND SndOwner="*") OR (SndEmail="%%From_Email%%" AND SndOwner="%%Recipient_Email%%")OR (SndeMail="%%From_Email%%" AND SndOwner="*")

Reject message

In the modification above we only compare the domain name instead of the whole email address and also cross check the AS database and if the Sender_Email or From_Email is found then the content filter is skipped.

(8 vote(s))
Helpful
Not helpful

Comments (0)