How to create a compliance policy for blocking spoofing of the local domains on a Symantec Messaging Gateway.

Article:TECH97616  |  Created: 2009-01-20  |  Updated: 2011-12-07  |  Article URL http://www.symantec.com/docs/TECH97616
Article Type
Technical Solution

Product(s)

Issue



How is it possible to block emails that are spoofing the local domain on the Symantec Messaging Gateway (SMG)?

Symptoms
The envelope sender in the header of the message lists the local domain as well as the envelope recipient and the email is coming from the outside of the local domain.


 


Solution




Steps for creating a compliance rule to block spoofing domains.
 

  • Create Dictionary for the list of domains in the environment that are being spoofed.
  • Create the Compliance rule.
  • Test the rule.


Create Dictionary

  1. Log in to the Control Center as Admin.
  2. Click on Compliance Tab.
  3. Off to the left of screen Under "Resources" click on "Dictionaries"
  4. The list of Dictionaries should be displayed.
  5. Click on the "Add" button.
  6. The "Add Dictionary" page is displayed.
  7. Give the dictionary a name.

    Example: Spoofing Domains
     
  8. Under the section "Words or Phrases" add the words that will cause the rule to trigger.

    Example: abc.com
     
  9. Once all of the domains have been entered  then click on "Save"


Create Compliance Rule
 

  1. Under "Policies" click on "Email".
  2. The list of compliance policies will be displayed.
  3. Click on the "Add" button to create the new rule.
  4. The list of templates will be displayed. Leave "Blank" selected and click on "Select" at the bottom of the screen.
  5. The "Configure an Email Content Compliance Policy" page will be displayed.
  6. Give it a Policy Name.

    Example: Spoofing of Domains
     
  7. Leave "Track violations of this policy in the dashboard and reports" checked.
  8. Under the Conditions Section set the "Apply to:" to "Inbound messages".
  9. Leave "Any" for the "Which of the following conditions must be met:".
  10. Click on the "Add" button to add a condition.
  11. Select "Text in the specific part of the message header:" and choose "Envelope Sender" from the drop-down list.
  12. Select the following: "contains" "Domain name" from dictionary: and select your dictionary that you created for the Domains list.
  13. Click the "Update Condition" button.
  14. Under the "Actions" section setup the action you want to be performed when the condition is triggered.
  15. Check the boxes next to the "Groups" the rule should be applied to.
  16. Click on the "Save" button.


Test rule
 

  1. Use "telnet" or a mail client to create a test message to send into the appliance to test the rule.





Technical Information
Stopping spoofed domains could also be accomplished with SPF records, Bad Senders list, or DKIM (version 9 only).


 




Legacy ID



2009112005380854


Article URL http://www.symantec.com/docs/TECH97616


Terms of use for this information are found in Legal Notices