How do I block spoofed emails? - Powered by Kayako Help Desk Software
Knowledgebase: Technical
How do I block spoofed emails?
Posted by Dayan D. Jeremiah, Last modified by Dayan D. Jeremiah on 22 May 2020 05:01 PM

Spambots and spammers often use a technique where the SMTP FROM: in the message header is different from the MAIL FROM to mask the spoofed messages. The example below shows a typical spoofed SMTP session;

220 127.0.0.1 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200
HELO mail.yourdomain.com
250 127.0.0.1 Hello spammer [127.0.0.1], pleased to meet you.
MAIL FROM:spammer@domain.com
250 2.1.0 <spammer@domain.com>... Sender ok
RCPT TO:user@yourdomain.com
250 2.1.5 <user@yourdomain.com>... Recipient ok; will forward
DATA
354 Enter mail, end with "." on a line by itself
FROM:user@yourdomain.com
SUBJECT:This is a spoofed email!
Gotcha!
.
250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery

The email above would most likely be accepted by your server and will appear in the InBox as coming from "user@yourdomain.com" when in fact the mail was sent by spammer@domain.com .

STOPPING SPOOFED EMAILS USING AN ANTI-SPAM DEPENDENT CONTENT FILTER

The most effective and efficient way to stop spoofed emails is to create an anti-spam dependent content filter in Mail > Security > Rules > Content Filters .

! Where Session is trusted
AND ! Where From: message header matches %%Sender_Domain%%
AND ! Where SMTP AUTH
AND ! Where SQL returns records SELECT * FROM Senders WHERE (SndEmail="%%Sender_Email%%" AND SndOwner="%%Recipient_Email%%") OR (SndeMail="%%Sender_Email%%" AND SndOwner="*") OR (SndEmail="%%From_Email%%" AND SndOwner="%%Recipient_Email%%")OR (SndeMail="%%From_Email%%" AND SndOwner="*")
Reject message

WHAT IF I DON'T HAVE ANTI-SPAM?

If you do not use the Anti-Spam engine you can still create a spoof filter but it will not be as accurate as compared to using it with the Anti-Spam engine because in some instances valid senders mostly newsletters will intentionally spoof their MAIL FROM and FROM. The filter below will block any spoofed email detected;

! Where Session is trusted
AND ! Where From: message header matches %%Sender_Email%%
AND ! Where SMTP AUTH
Reject message

(0 vote(s))
Helpful
Not helpful