PDA

View Full Version : Content filer - forged Senders and From header



ICEWARP_BRAZIL
03-26-2011, 03:49 PM
Hi, everyone

A common support inquiry we have is about ways to avoid forged messages.

Most of you know that the option in Mail/Security/General/"Reject if originator's domain is local and not authorized" can be useful for avoiding forged sender. If an email with a local MAIL FROM (@domain that exists in your IceWarp) comes from another SMTP (so user isn't authenticating via IceWarp), it rejects the message. I personally haven't used this option, however, as many places like hotels force you to use their SMTP and thus, in that cenario your email would be rejected by your own server, if you send mail to another local recipient.

So one way to avoid forged Sender (MAIL FROM which appears in logs) is something like this:

Where Sender matches icewarp.com.br (here I use "ends with string")
and ! Where SMTP AUTH
and ! Where Sender's IP address is trusted
and Where Sender's Hostname matches NOT otherhost.com
and Where Sender's IP address matches NOT 192.168.201.2
Stop processing more rules
and Forward to cf-forged-sender@icewarp.com.br

The filter above only audits, so you can see if it's worth implementing. Basically we're checking if the sender contains our own local domain and there is no authentication, neither the IP of the sender is trusted, then it is considered a mail with forged sender. You shall have quite a few false positives, which you can try to eliminate by adding conditions that deny (such as where sender's IP is not a certain IP or sender's hostname is not a certain one).

Now on to avoiding e-mails that have a forged FROM header. This is worse, because this is what end users really see, and nobody enjoys their boss receiving an email about viagra with your email forged in the from header :)

I prefer to create such a filter on the domain level, as a RULE. The idea is the same, since usually most systems require SMTP authentication, if the FROM header contains your domain and there is no SMTP AUTH, then it might be a forged header email.

! Where SMTP AUTH
and Where From: message header matches icewarp.com.br
and Where Sender matches NOT blackberry.com
and ! Where Sender's IP address is trusted
and where Recipient matches NOT joe@hotmail.com
Forward to cf-forged-from@icewarp.com.br

You can always make exceptions, for example we have added exceptions so that emails from BlackBerries (sender contains blackberry.com) and emails from joe@hotmail.com are not caught by this filter.

You shall have a few false positives, such as sites where you can send an invitation to someone or so, where the FROM is set to your own, coming from a remote system. So you should choose wisely if it's worth to implement the rule with an action to delete or reject messages. If you do so, it's always good to audit all the filtered emails, so if there's a false positive, the administrator can redirect it back to the original recipient (this can be done via WebClient, right click on a message and redirect it, keeping the headers intact).

All the best,
Flávio