This article applies to:
- Trustwave ECM/MailMarshal Exchange
Question:
How do I block spoofed messages in MailMarshal Exchange?
Procedure:
In MailMarshal Exchange, internal messages (Exchange user to Exchange user) do not have a Received: line in the header. Because of this, spoofed messages can be stopped by creating the rule below in the internal ruleset. This rule takes advantage of the fact that spoofed messages from the Internet (those with a local From: address) will have a Received: line in the message header.
Note: Notice the exception for Remote Users. If there are any POP3 email users in the environment, an exception to this rule must be made in the inbound ruleset to ensure that their email is not stopped.
Warning: All inbound emails from an external point will contain a Received: line in its header. Blocking spoofed messages with the rule provided in this article is based on that fact. Therefore, if you are in the middle of an Exchange migration (5.5 to 2000 or 2003), this rule will block legitimate email that is being forwarded based on your Microsoft Active Directory Connector (ADC) forwarder. Trustwave recommends disabling this Block Spoofed Messages rule during your migration. Once the migration is complete, you will not see this issue anymore.
Standard Rule: Block Spoofed Messages
When a message arrives
Where addressed both to '[YourDomain] Domain Users' and from '[YourDomain] Domain Users'
Except where addressed from '[YourDomain] Remote Users'
Where message contains one or more headers 'Received Line'
Write log message(s) with 'Spoofed Message'
And move the message to 'Spoofed Messages'
To set up the header match:
- In the 'Header Match' dialog, click New.
- Select the 'Received' field.
- Set the 'Field Parsing' method to Entire Line.
- Click Next.
- In the 'Field Search Expression' field, type the following text: (.+)
- Click Next.
- Enter the 'Title' as Received Line.
- Click Finish.
- Click OK in the 'Header Match' Dialog.
- This article was previously published as:
- NETIQKB35352