Mail is still being received from blacklisted domains (spoofed emails)


SUMMARY

Considerations in blocking SPAM and how e-mail messages can be 'spoofed'  to appear to come from someone other than their actual sender.

DETAIL

Sometimes it is difficult to validate the actual origin of a mail message. The contents of the message (and how it is viewed in the mail client) has virtually nothing to do with where the message actually came from. The analogy is an envelope and a message. An envelope can be sent to a person, but the letter itself could contain a message for another person. If you throw the envelope away, then you have little proof as to who the message actually came from. This is very much what happens with mail. Spammers send a message and they envelope to your actual address, however, the message inside the envelope actually says that the message is from someone else.

Here is an example:

SMTP Server receives mail from User1 to
User@yourdomain.com.

The contents of the message/message headers sent in the SMTP transaction contain the following:

To:
User@yourdomain.com
From: EasterBunny@Whereeveryouwant.com
Subject: This is spam

Message text

For example, it is possible to blacklist Whereeveryouwant.com; but this will not block the incriminating e-mail, as you actually need to blacklist User1 (or the IP address that the
person is sending from).

SOLUTION

The solution is to work out exactly who is sending these messages and what IP address they are sending them from. Unfortunately, when the message is received in the mailbox, virtually all envelope information has been lost. It only resides in the MailEnable logs (MailEnable does allow you to do reverse lookups on sender addresses and require PTR records - and this is the best way to get around this problem).

The domain blacklisting (as opposed to Reverse DNS Blacklisting) feature is not intended to fight spam. It is more to stop users receiving mail from legitimate (i.e.: non spoofed) domains. 
It has limited effectiveness in preventing SPAM from spammers who can masquerade their domains as whoever they want.

MORE INFORMATION

Blacklisting mechanisms: Article ME020084



Product:MailEnable (Custom: Custom: Custom: Custom: Custom: Custom: All Versions)
Category:Operation
Article:ME020140
Module:SMTP
Keywords:SPAM,spoof,blacklist,ban,domain,black-list,domains,blacklisted
Class:INF: Product Information
Created:16/06/2003 8:53:00 PM
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable