How to block Spoofing - Powered by Kayako Help Desk Software

Knowledgebase

Sales/Licensing Help Technical Help Технические вопросы Hilfethemen - Technical Help in German IceWarp Cloud Known Bugs and Issues

Knowledgebase:

How to block Spoofing

Posted by Michael Filip, Last modified by Milan Sykora on 30 June 2017 01:27 AM

In some cases spambots may use a technique where the “SMTP From:” is different from “Sender” to mask the spoofed messages. See the example of SMTP session:

220 127.0.0.1 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200

helo mail.yourdomain.com

250 127.0.0.1 Hello spammer [127.0.0.1], pleased to meet you.

mail from: spammer@domain.com

250 2.1.0 <spammer@domain.com>... Sender ok

rcpt to:user@yourdomain.com

250 2.1.5 <user@yourdomain.com>... Recipient ok; will forward

data

354 Enter mail, end with "." on a line by itself

from: user@yourdomain.com

SOME DATA

250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery

The message is being delivered as from user@yourdomain.com:

WebClient View

You can avoid this abusing behavior by creating a simple content filter in IceWarp Administration console - Mail - Rules - Content Filters:

! Where Session is trusted

AND ! Where From: message header matches %%Sender_Email%%

AND ! Where SMTP AUTH

Reject message

NOTE: "AND ! Where SMTP AUTH" will let authenticated sessions in even when there's a spoofed From (which can be well the case in case of redirecting an email).

Mail from in SRS format

The above filter would cause false positives. Some recipients may want to receive these mails and whitelist the email address but the content filter will still block the email as the content filter action takes precedence over the AS B/W list result. Modify the filter slightly as follows:

! Where Session is trusted

AND ! Where From: message header matches %%Sender_Domain%%

AND ! Where SMTP AUTH

AND ! Where SQL returns records SELECT * FROM Senders WHERE (SndEmail="%%Sender_Email%%" AND SndOwner="%%Recipient_Email%%") OR (SndeMail="%%Sender_Email%%" AND SndOwner="*") OR (SndEmail="%%From_Email%%" AND SndOwner="%%Recipient_Email%%")OR (SndeMail="%%From_Email%%" AND SndOwner="*")

Reject message

In the modification above we only compare the domain name instead of the whole email address and also cross check the AS database and if the Sender_Email or From_Email is found then the content filter is skipped.

(8 vote(s))

Helpful

Not helpful

Comments (0)

Help Desk Software by Kayako