Hello, Especially these days (late 2010), your company may be receiving many spoof messages where the From adress and To adress of the e-mail are same and ending with @yourdomain.com. And sometimes Brightmail will not be able to stop those messages. This article will cover how to permanently block those messages in Brightmail 9.0 (it is not so different for Brightmail 8.0 or other Symantec Mail Security products). 99 percent of the time, when Brightmail is deployed to an environment, it filters all the e-mails at the edge. In other words, SMTP packets are redirected to the Brightmail by firewall and they filtered by Brightmail to the mail server. Briefly, no emails from your local domain should be coming inbound. This solution will work for this type of environments. Before starting this setup, if all your outgoing e-mail is passing through Brightmail as well, I suggest you to follow and complete this article first, since this may be the source of spoofed messages: https://www-secure.symantec.com/connect/articles/prevent-bounce-attakcs-brightmail#comment-4417021 Login to your Brightmail console and let's start.
This policy basically filters out the inbound messages where From adress includes the string "mydomain.com". You may change this to "mydomain" or "@mydomain.com" according to your domain name. Consider the probabilities here. For example, if your domain name is fy.com you may not want to shorten the string to "fy" only. Whenever the string is matched on those incoming messages, Brightmail will quarantine them. You may want to move the rule upwards if you have some other rules under Content > Policies > Email, since the top rule is processed first. Regards, Bekir Burak Durmaz PS: Here are the step-by-step screens for this configuration (Click on images for original size) :
the mails forwarded from another domain to ours the action I picked is applied to it which is not good because users who have two mail accounts one in the Main office which is forwarded to the one in the Branch office won't be able to receive emials delivered to their Main office account on their Branch office account. forwarded is not working with this condition. what do you suggest please and thanks in advance.
thanx for the share...
I don't understand.
1. You say "coming from that domain" - these e-mails would have our domain in the envelope Mail From, and the message body FROM: Content policies can't act on the Connection IP address.
2. Why would a compliance policy be ignored just because the IP is a trusted sender - certainly I'd expect a content policy for vulger language, or PCI data to be honored.
Yes, I know SPF checks occur first. To get the compliance policy to respect that, the SPF fail would need to add a header that the compliance policy could check.
Hello,
Having the IP adress or domain of the 3rd party in the "Local Good Sender Domains" should bypass this rule. But to make sure, you may just add another compliance rule above this one, allowing those mails coming from that domain.
These compliance rules work like in a firewall rules logic. First one matches is applied and the others are not evaluated as soon as there is one match.
SPF check happens all before these checks (Spam/Virus/Content).
If I have an external 3rd party sending on my behalf (e.g. marketing service) how would I position this rule? How could I prevent this rule from quarantining those messages.
Will adding the 3rd party's IPs to Good Senders prevent this from firing?
How does SPF testing figure into this. The 3rd party is in my SPF txt record.
Hello Bekir,
As always you create a good article again.
Thank you again and keep going ;)
Best Regards.
Fatih