Blocking mails with bogus sender domain

SMTP mails can be configured and manipulated in a vast number of ways. By now it is unlikely that any spammers still send emails under their own email address. iQ.Suite has several functions that enable you to recognise these fake or spoof mails as spam and filter them out of your mailbox.

Emails that have the recipient’s own SMTP domain as the sender domain are easy enough to check. If this is found to be the case, the mail is likely be a spam mail with a faked sender address. To understand this and to put it to good use, we must first look at how iQ.Suite works:

All address information from an email (i.e. sender and recipient addresses) are transferred to the NAB prior to verification. Here, an attempt is made to find the appropriate entry and "normalise" it. An email with the original SMTP recipient address "admin@training.local" then becomes "domino admin/training@training". This shows that someone in the NAB has the above SMTP mail address.
In the case of the sender, the original address is typically the sender’s common name, e.g. "CN=Domino Admin/O=training@training". Again it is normalised: the address that has to be compared is then "domino admin/training@training".

So no email from an internal user will normally ever come with an SMTP address. From "admin@training.local" is not possible. Here again, we are assuming a standard architecture and that internal emails are sent as Notes mails.

In some environments this does not fully apply, or only applies to some extent. In these cases, the following steps will produce undesirable results! If you are not sure whether all internal emails are sent in Notes mail format, you should not execute the following configuration steps without obtaining advice first from one of our consultants!

Emails that claim to come from our own SMTP domain are therefore typically spam. They are relatively easy to filter out. This is achieved using the same mechanism that we described in our September 2008 Tips & Tricks:

To block emails from senders who have your own SMTP domain, proceed as follows:

• Configure a "Spoofed Sender" mail address rule (Global - Mail Rules - New):
  Sender - in sender list
  Sender condition - contained
  Sender list - ~*@training.local
  
  Instead of training.local you must of course enter your own SMTP domain.
  Here it is important to remember the tilde ~!

• Configure a basic wall mail job (Wall – Mail Jobs - New - Wall Mail Job):
  Basics
  • Priority: Set the priority as required for your environment. This job can run relatively "early" with the anti-spam jobs, and certainly after the virus scan.
  • Runs on: Selected mails
  • Click on Selection under Edit Rules and add the Spoofed Sender rule to the list of positive rules (top pane).
  • Valid for senders: All

Operations - Denied Recipients

• Action on alarm: Delete mail
• Category in quarantine report: spoofed (or SPAM)
• List of recipients: All in list: *@*

Misc

• Quarantine configuration: DEFAULT - Quarantine configuration

You can leave all the other settings as they are set by default in the job.

Now you can activate the job and test it. Write a fake email with one of your company’s SMTP sender addresses. Immediately after the email arrives, you will find it in the quarantine database under the category "spoofed" (or "SPAM"). You should also write an email with valid sender data and one from inside the company in order to check that they do get delivered.

Please note that our Support staff can only answer questions about configuring iQ.Suite. You will find further information on SMTP, mail client and domino server settings, etc. in the documentation on the Internet or can obtain it from the manufacturer. Our training courses provide some background information on SMTP and its mechanisms, show why one job functions with certain settings and describe numerous additional methods of effectively combating spam.

Come and see. We look forward to your visit!