Spam Emails are being delivered by the Symantec Mail Security appliance with verdict "System allowed email address or domain"

Article:TECH89242  |  Created: 2008-01-27  |  Updated: 2012-05-10  |  Article URL http://www.symantec.com/docs/TECH89242
Article Type
Technical Solution

Product(s)

Issue





Symptoms
The message is clearly a spam message and is delivered to the intended recipient with a verdict "System allowed email address or domain". This can be seen in the Message Audit Logs.

  • The message comes from a domain that is spoofed.
  • The message comes from a domain that is in the "Allowed Senders (Domain based)" list. This list is under > Spam > Sender Groups.


 


Cause



If the spoofed email domain is on the "Allowed Senders (Domain based)" list (e.g. Yahoo.com) the Allowed Senders list will take precedence and the email will be delivered. Unless the action for Spam messages is set to delete spams, in which case the 'Delete' action will take precedence.


Solution



The feature works as designed.

It is possible to refine the Allowed Senders list.
More information can be found in the Symantec Mail Security Appliance Version 7.6 Administration Guide
Chapter 3 "Configuring spam filtering",
"Configuring sender groups"
"Adding senders to Allowed Senders Lists"

The Administration guide can be found here:
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_mail_security/8200_8300_series/manuals/2007/



If you can determine the IP address of the spammer who is 'spoofing' this email address, then you can add the IP address
into the 'Blocked Senders (IP Based)' sender group. The order of precedence for antispam checks will examine the IP address
of the sender first before checking to see if the email address is whitelisted.

To add an IP address to the Blocked Senders list, please see the Symantec Mail Security for SMTP 5 (or Appliance) Administration Guide.



References
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_mail_security/8200_8300_series/manuals/2007/


'Brief descriptions of the attributes in the Allowedblockedlist.txt'
http://www.symantec.com/docs/TECH83177


Technical Information
Symantec does not recommend whitelisting your own domain by domain name. Using a return address which includes a spoofed address at the target domain is a common tactic which spammers use.



 



Legacy ID



2008032713033654


Article URL http://www.symantec.com/docs/TECH89242


Terms of use for this information are found in Legal Notices