From the Diary / 12th July, 2016
We are using Symantec IBM lotus Domino as our mailing system for inbound/outbound emails & Symantec Mail Security as anti-spam mechanism. Managing heavily used production email server & fighting with the spam is a really tough job to do and requires continuous monitoring and most times requires additional work to do on regular basis.
From past few days, our email users were receiving lot of spoofed (faked advertisement / malware) emails pretending to be coming from there own email address and sometimes other legitimate users as well.. Subject was different every time , and source was dynamic too in the header. It was really annoying as user does not wants to block his email address in filters.
E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Example you can receive email pretending to be coming from your own email address, strange and annoying as well too.
Adding SPF record is a good idea and every mail server mx record should have it. However I took another route which is a kind of workaround BUT at least it’s working amazingly good for me !.
Just to share my story. / z@ib
I made following rule in SMSDOM Content Filter Rules Section.
Description: BLOCK SPOOFED EMAILS RULE
Classification: Compliance Rule
This rule is for: Email Routing
Flow: Inbound
This rule is applied: Conditionally
Condition: Unless
Attributes: Sender/Author > myself@mycompany.com
[Exempt my few local servers email ids that are used to send backup/alerts emails to admin via using batch scripts]Rule Expression: if Internet Domain Contains MYCOMAPNY.COM
Action: QUARANTINE the Document
Save the rule.
Images of rules,
End Results:
🙂 & now I can see many spoofed emails dropping in the quarantine box and user’s inbox is clean and shiny.
TIPS:
Test Spoofing
To test sending spoofed email, you can use following web site to do so ..
SPF RECORD: / zaib
To make SPF record on the DNS server, you can use following syntax
1 | v=spf1 mx ip4:1.2.3.4 -all |
Above record will allow all your MX records + IP 1.2.3.4 to send email from your domain, everything else is prohibited. But the mail servers or relays must support SPF protocol.
Or if you have two ISP links for primary and secondary mx, (two ip addresses), You can use following
1 | v=spf1 mx ip4:1.2.3.4 ip4:5.6.7.8 -all |
whereas 1.2.3.4 , 5.6.7.8 are the Public ip address of your email server.
OR something like
