Knowledgebase: Technical
How do I block spoofed emails?
Posted by Dayan D. Jeremiah, Last modified by Dayan D. Jeremiah on 25 February 2022 06:02 PM

Spambots and spammers often use a technique where the SMTP FROM: in the message header is different from the MAIL FROM to mask the spoofed messages. The example below shows a typical spoofed SMTP session;

220 127.0.0.1 ESMTP IceWarp 10.4.5; Thu, 04 Apr 2013 09:59:04 +0200
HELO mail.yourdomain.com
250 127.0.0.1 Hello spammer [127.0.0.1], pleased to meet you.
MAIL FROM:spammer@domain.com
250 2.1.0 <spammer@domain.com>... Sender ok
RCPT TO:user@yourdomain.com
250 2.1.5 <user@yourdomain.com>... Recipient ok; will forward
DATA
354 Enter mail, end with "." on a line by itself
FROM:user@yourdomain.com
SUBJECT:This is a spoofed email!
Gotcha!
.
250 2.6.0 35 bytes received in 00:00:23; Message id 201304041000050002 accepted for delivery

The email above would most likely be accepted by your server and will appear in the InBox as coming from "user@yourdomain.com" when in fact the mail was sent by spammer@domain.com .

STOPPING SPOOFED EMAILS USING AN ANTI-SPAM DEPENDENT CONTENT FILTER

The most effective and efficient way to stop spoofed emails is to create an anti-spam dependent content filter in Mail > Security > Rules > Content Filters .

! Where Session is trusted
AND ! Where From: message header matches %%Sender_Domain%%
AND ! Where SMTP AUTH
AND ! Where SQL returns records SELECT * FROM Senders WHERE (SndOwner="%%Recipient_Email%%" OR SndOwner="*") AND (SELECT SndEmail="%%Sender_Domain%%" OR SndEmail="%%Sender_Email%%" OR SndEmail="%%From_Domain%%" OR SndEmail="%%From_Email%%")
Reject message

WHAT IF I DON'T HAVE ANTI-SPAM?

If you do not use the Anti-Spam engine you can still create a spoof filter but it will not be as accurate as compared to using it with the Anti-Spam engine because in some instances valid senders mostly newsletters will intentionally spoof their MAIL FROM and FROM. The filter below will block any spoofed email detected;

! Where Session is trusted
AND ! Where From: message header matches %%Sender_Email%%
AND ! Where SMTP AUTH
Reject message

(0 vote(s))
Helpful
Not helpful