Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Spam from Spoofed address coming in even when blacklisted

Created: 04 Sep 2012 | 3 comments

We are using exchange 2007 and getting phishing spam emails coming through with spoofed email address from @microsoft.com and @welcome.aexp.com (american express).

My main question is how to prevent mail coming through from spoofed domains. The only guides I see online are for preventing spoofed messages from YOUR domain.  This does not help as it is coming from another domain.

Second question is how they could continue to be delivered when the email address (in this case americanexpress@welcome.aexp.com) is added to a match list to be blocked.  Also added was @*.aexp.com and @welcome.aexp.com yet the mail continues to be delivered.  In the Message Tracking Results through exchange, the ip addresses responsible are from Russia, Greece, Korea, etc.  It does not help to block these IPs as the next message will come from a different ip later on.

any suggestions or help?

Comments 3 CommentsJump to latest comment

TSE-JDavis's picture

This is outside the scope of our product, but you shoudl consider enabling SPF checking in Exchange:

http://en.wikipedia.org/wiki/Sender_Policy_Framework

Mark.E's picture

Greetings,

First ensure that the domain that you are trying block is not included in the Whitelist within SMSMSE.  If the domain is not in the whitelist, please ensure that you have created your custom content filtering rule correctly.  Please find below, a link describing how to create a content filtering rule to block an email address or domain.

How to Block Email from a Specific Email Address or Email Domain

http://www.symantec.com/docs/TECH89816

I hope this helps.

nathan_bergstrom's picture

Greetings,

Another part to be aware of is the difference between the message envelope which Exchange sees along with SMSMSE during the SMTP converstation and the mail from vaules that will be seen in Outlook(Header information).  To best troubleshoot the issue, a transport agent debug and or possibly a packet capture will verify the behavior.

Also using telnet on port 25 you can simulate a SMTP message to your Exchange server to verify that content rules work as designed and expected.

Here are some links on using telnet to send SMTP messages.

http://www.yuki-onna.co.uk/email/smtp.html

http://arnab.org/notes/using-telnet-to-send-mail-b...

The mail from field is where you can spoof the senders address even it is it coming from your server/workstation. 

SMTP does not lend itself to checking that the mail from fields(the  domain value of the email address) matches up with actual connecting IPs reverse DNS entry.  Typically 3rd party software is needed to verify the information above and is beyond most basic MTAs.  Currently SMSMSE does not contain this ability as we are a transport agent and is typically best handled by the MTA itself to minimize processing. SMSMSE has to have the MTA take in almost the whole message before it will scan for anti-spam and content filtering for inbound/outbound messages.  For the anti-spam SMSMSE will wait for the end of data command from the sending MTA through Exchange before it will scan. SMSMSE passes a verdict and depending on actions will tell Exchange to provide back a 550 error causing the sending server to disconnect.

For content filtering the message will be accepted meaning that Exchange sends back to the sending MTA that it has received the message and the sending sever then disconnects, SMSMSE scans the message for content and viruses and then tells Exchange what it should do with the message.

I would recommend to looking to the Symantec Messaging Gateway for better granular control over unwanted and spam emails.

http://www.symantec.com/messaging-gateway