Spoofed email

Discussion forum for Enterprise Edition.
Post Reply
dcol
Posts: 100
Joined: Fri May 26, 2017 11:25 pm

Spoofed email

Post by dcol » Fri Oct 18, 2019 3:44 pm

I know there has been a lot of talk for a long time about detecting spoofed emails, but is there actually a way to do it? Maybe with an MTA script or something?

Here is an example of what I am seeing from the email source
envelope-from <info@spoof.com.ar>
From: "good_user@mydomain.com" <info@spoof.com.ar>
To: "good_user2@mydomain2.com" <good_user2@mydomain2.com>
X-Envelope-Sender: info@spoof.com.ar
X-ME-Bayesian: 0.000000
X-Source-Auth: info@spoof.com.ar
X-ME-CountryOrigin: US

I get hundreds of them a day all from foreign accounts. Is there a way to GeoIP check the 'X-Envelope-Sender' or 'envelope-from' or 'X-Source-Auth' fields?

Maranda
Posts: 27
Joined: Mon Dec 11, 2017 8:10 pm

Re: Spoofed email

Post by Maranda » Sun Oct 20, 2019 7:31 pm

You could create a filter using a criteria script that matches the from field with the envelope-from one, and spams out the message when it doesn't match but beware it could cause several issues with mailing lists. Honestly I catch almost all of those with just the ME internal bayesian filter.

dcol
Posts: 100
Joined: Fri May 26, 2017 11:25 pm

Re: Spoofed email

Post by dcol » Sun Oct 20, 2019 9:09 pm

Never looked at the Criteria script editor. Looks promising. Maybe I can do a country match on the envelope-from field and then give it a spam probability of 100. I will look for some examples. Not sure of the correct syntax with this feature.

dcol
Posts: 100
Joined: Fri May 26, 2017 11:25 pm

Re: Spoofed email

Post by dcol » Sun Oct 20, 2019 9:32 pm

Do you mean something like this. Obviously I may need more qualifiers.
What I am really asking is if I can match a field like envelope-from like this?

If CriteriaMet([envelope-from],"*") <> _
CriteriaMet([ME_FROM],"*") Then
FilterResult=1
End If

Thanks

Post Reply