In some cases, spambots may use a technique where the “SMTP From:” is different from “Sender” to mask the spoofed messages.
See the example of the SMTP session:
220 127.0.0.1 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200
helo mail.yourdomain.com
250 127.0.0.1 Hello spammer [127.0.0.1], pleased to meet you.
mail from: spammer@domain.com
250 2.1.0 <spammer@domain.com>... Sender ok
rcpt to:user@yourdomain.com
250 2.1.5 <user@yourdomain.com>... Recipient ok; will forward
data
354 Enter mail, end with "." on a line by itself
from: user@yourdomain.com
SOME DATA
.
250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery
The message is being delivered from user@yourdomain.com:
You can avoid this abusive behaviour by creating this simple content filter in IceWarp Administration console - Mail - Rules - Content Filters:
! Where Session is trusted
AND ! Where From: message header matches %%Sender_Email%%
AND ! Where SMTP AUTH
Reject message
NOTE: "AND ! Where SMTP AUTH" will let authenticated sessions in even when there's a spoofed From (which can be well the case in case of redirecting an email).
Mail from in SRS format
The above filter would cause false positives. Some recipients may want to receive these emails and whitelist the email address, but the content filter will still block the email as the content filter action takes precedence over the AS B/W list result. Modify the filter slightly as follows:
! Where Session is trusted
AND ! Where From: message header matches %%Sender_Domain%%
AND ! Where SMTP AUTH
AND ! Where SQL returns records SELECT * FROM Senders WHERE (SndEmail="%%Sender_Email%%" AND SndOwner="%%Recipient_Email%%") OR (SndeMail="%%Sender_Email%%" AND SndOwner="*") OR (SndEmail="%%From_Email%%" AND SndOwner="%%Recipient_Email%%")OR (SndeMail="%%From_Email%%" AND SndOwner="*")
Reject message
In the modification above we only compare the domain name instead of the whole email address and also cross-check the AS database and if the Sender_Email or From_Email is found then the content filter is skipped.
Comments
0 comments
Please sign in to leave a comment.