Messaging Gateway

Hi,

on Messaging Gateway 10.5.4.4, in Reputation/policiese/bad senders/local bad sender domains, i've add 579 spam domains.

Problem is that some of them are bypassed from email and them arrive.

For example, i've added "credemonline.it" but if the email is with this sender "servizio.clienti@intesasanpaolo.com" <info.44063@credemonline.it>, it will be delivery without rules check.

How is it possible?

Thank's in advance

Hi Max,

Why have you got so many domains in there? Usually you only place your own, hosted domains in there and you're fine.

If it's only because certain spam got through, there are much better ways to take actions (spf, public or even private rbl lists, content rules based on dictionaries and/or regex etc).

Usually if i had to ad a certain sending domain to the list of local bad senders it's just doing what it's supposed to do: search incoming messages for sender or envelope sender eq domain.

But think of updating.

Thomas

Thank's for the answer,

I've add a long list of domain there because i've not found another simple way to delete that incoming spam. With spf i've seen that i have problem with some of our supplier so i can't use it.

I need only a simple domain blacklist and Local Bad Sender seems good for this.

About updating i'm waiting for new server that is incoming to avoid to make twice the installation.

If there is another simple way to create a domain blacklist please tell me how.

Thank's in advance

Max

Hi,

- SPF: Get them to correct their errors in the dns config. Yes, it takes a wile - you can think of just making spf-hard and softfails as susp spam, deliver them to the mailboxes and merge them to junk

- domain blacklisted: It is a good thing to just get rid of certain senders, spam bots, etc. From what i've seen the same kind of mails usually get to you using different accounts, hosts and domains. Therefore analyse your bad inbound mails, instruct users, get symantec feedback, think of submitting mails, etc.

But, using local bad senders as local bad ips is useless as a long term thing.

- updating: fair enough

- Another simple way: Again, analyse the bad guys. Eg approx a year ago i invented a couple of content rules like (envelope sender <> pattern)&(sender = pattern)&(message contains words in dictionary). But its very specific and i thinks it depends on business, region, etc

Thomas

Thank's for answer

Spf: i've tried to explain but our supplier not ever are so skilled to understand

Rules: in my job are impossible to apply because we are in contact with all countries from brazil to japan so, only "special" words can be blocked, but are too few

By searching on symantec support i've found and follow this rule: https://support.symantec.com/en_US/article.TECH152617.html

Regards

Max

Hi,

SPF: Enable it but at spam-sender auth use the action deliver nomally. 2nd - create a content rule matching the Authentication Service Identifier you just defined. 3rd - AND the condition with a regex for certain ips and youre done.

Rules: The dictionaries just apply to spam you would like to filter - eg take a look at western union or dhl spam/phishings. Analyse them and you know what i'm talking of

Technet: Yes, you can use them, but it's like adding bad IPs to your server config. Works for the short moment till spammers switch to different spambots etc. Better use RBLs, can be done via "Third Party Bad Senders"

Regards

Thomas