How to block Spoofing
Posted by Michael Filip, Last modified by Milan Sykora on 30 June 2017 01:27 AM

In some cases spambots may use a technique where the “SMTP From:” is different from “Sender” to mask the spoofed messages. See the example of SMTP session:


220 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200


250 Hello spammer [], pleased to meet you.

mail from:

250 2.1.0 <>... Sender ok


250 2.1.5 <>... Recipient ok; will forward


354 Enter mail, end with "." on a line by itself




250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery


The message is being delivered as from

 WebClient View

You can avoid this abusing behavior by creating a simple content filter in IceWarp Administration console - Mail -  Rules - Content Filters:


! Where Session is trusted

    AND ! Where From: message header matches %%Sender_Email%%

    AND ! Where SMTP AUTH

Reject message


NOTE: "AND ! Where SMTP AUTH" will let authenticated sessions in even when there's a spoofed From (which can be well the case in case of redirecting an email).


Mail from in SRS format

The above filter would cause false positives. Some recipients may want to receive these mails and whitelist the email address but the content filter will still block the email as the content filter action takes precedence over the AS B/W list result. Modify the filter slightly as follows:

! Where Session is trusted

     AND ! Where From: message header matches %%Sender_Domain%%

     AND ! Where SMTP AUTH

     AND ! Where SQL returns records SELECT * FROM Senders WHERE (SndEmail="%%Sender_Email%%" AND SndOwner="%%Recipient_Email%%") OR (SndeMail="%%Sender_Email%%" AND SndOwner="*") OR (SndEmail="%%From_Email%%" AND SndOwner="%%Recipient_Email%%")OR (SndeMail="%%From_Email%%" AND SndOwner="*")

Reject message

In the modification above we only compare the domain name instead of the whole email address and also cross check the AS database and if the Sender_Email or From_Email is found then the content filter is skipped.

(8 vote(s))
Not helpful

Comments (0)