How to Block Spoofed Email, in SMG That Looks Like it is From our Domain, if SPF isn't an Option?

  • 7020831
  • 30-Mar-2017
  • 30-Nov-2018

Environment


GWAVA 7

Situation

How can I block spoofed email that looks like it is from our domain? SPF isn't working on these since the Return Path line (address that SMG uses for scanning) is not our domain. But, the 'From' line is our domain. The users see it as from a trusted person in our company.

Resolution


If spoofed email that appears to be from your domain is not blocked via SPF, for various reasons you can create a Message Header filter to block them:

1) In the System Administration web page, go to Organization/Policy Management | Policy scan configuration | <Policy Name> 

2) Add 'Message Text" to your work bench, by dragging it down from 'Filter Templates' to 'Deployment workbench'. Click on the name to rename it to Message header.

3) Click on the Icon to edit it, then do the following:

a) Check the box next to 'Look in message header'.

b) In the 'Search criteria' type the following: From:*yourdomain.com

c) Click 'OK' and save the changes (blue disk on top right corner)

NOTE: If you already have a 'message text' component, you can add this to it. Just be sure that the 'Look in the message header' option is checked.

4) Link 'Message Block' and 'Quarantine' to the 'Message header' component, by dragging the orange circle for each to the 'message header' component. Save changes again.

5) Make sure you aren't scanning this event on outbound email, otherwise all your outbound email will get blocked.

6) If you have any source address exceptions for your domain, make sure to link them to this Message Header component.

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 2907.