How to block Spoofing

In some cases, spambots may use a technique where the “SMTP From:” is different from “Sender” to mask the spoofed messages.

See the example of the SMTP session:

220 127.0.0.1 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200
helo mail.yourdomain.com
250 127.0.0.1 Hello spammer [127.0.0.1], pleased to meet you.
mail from: spammer@domain.com
250 2.1.0 <spammer@domain.com>... Sender ok
rcpt to:user@yourdomain.com
250 2.1.5 <user@yourdomain.com>... Recipient ok; will forward
data
354 Enter mail, end with "." on a line by itself
from: user@yourdomain.com
SOME DATA
.
250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery

The message is being delivered from user@yourdomain.com:

You can avoid this abusive behaviour by creating this simple content filter in IceWarp Administration console - Mail - Rules - Content Filters:

! Where Session is trusted
    AND ! Where From: message header matches %%Sender_Email%%
    AND ! Where SMTP AUTH
Reject message

NOTE: "AND ! Where SMTP AUTH" will let authenticated sessions in even when there's a spoofed From (which can be the case in the case of redirecting an email).

Mail from in SRS format

The above filter would cause false positives. Some recipients may want to receive these emails and whitelist the email address, but the content filter will still block the email, as the content filter action takes precedence over the AS B/W list result. Use the attached XML file to modify the filter.
Mind the part about the DB connection when you import the XML file. You must adjust the path manually.