How to block Spoofing
Posted by Michael Filip, Last modified by Milan Sykora on 30 June 2017 01:27 AM
|
|
In some cases spambots may use a technique where the “SMTP From:” is different from “Sender” to mask the spoofed messages. See the example of SMTP session:
220 127.0.0.1 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200 helo mail.yourdomain.com 250 127.0.0.1 Hello spammer [127.0.0.1], pleased to meet you. mail from: spammer@domain.com 250 2.1.0 <spammer@domain.com>... Sender ok rcpt to:user@yourdomain.com 250 2.1.5 <user@yourdomain.com>... Recipient ok; will forward data 354 Enter mail, end with "." on a line by itself from: user@yourdomain.com SOME DATA . 250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery
The message is being delivered as from user@yourdomain.com: You can avoid this abusing behavior by creating a simple content filter in IceWarp Administration console - Mail - Rules - Content Filters:
! Where Session is trusted AND ! Where From: message header matches %%Sender_Email%% AND ! Where SMTP AUTH Reject message
NOTE: "AND ! Where SMTP AUTH" will let authenticated sessions in even when there's a spoofed From (which can be well the case in case of redirecting an email).
Mail from in SRS format The above filter would cause false positives. Some recipients may want to receive these mails and whitelist the email address but the content filter will still block the email as the content filter action takes precedence over the AS B/W list result. Modify the filter slightly as follows: ! Where Session is trusted AND ! Where From: message header matches %%Sender_Domain%% AND ! Where SMTP AUTH AND ! Where SQL returns records SELECT * FROM Senders WHERE (SndEmail="%%Sender_Email%%" AND SndOwner="%%Recipient_Email%%") OR (SndeMail="%%Sender_Email%%" AND SndOwner="*") OR (SndEmail="%%From_Email%%" AND SndOwner="%%Recipient_Email%%")OR (SndeMail="%%From_Email%%" AND SndOwner="*") Reject message In the modification above we only compare the domain name instead of the whole email address and also cross check the AS database and if the Sender_Email or From_Email is found then the content filter is skipped. | |
|