Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Question/Issue:
You see spam messages that appear to be coming from your own domain (spoofed mail). You would like to know how these spoofed messages can be prevented.

Symptoms:

1. Spam messages are going through undetected.
2. These spam messages pretend to be coming from your own domain (i.e., spoofed mail).
   Example: abc@test.com receives a spam mail from abc@test.com

Cause:
Spammers have found existing email addresses in your domain, and are now targeting specifically these email addresses.

Solution:
Several options exist when configuring your Symantec Mail Security for Microsoft Exchange 5.0.x or 6.0.x.

Options in Symantec Mail Security and Symantec Information Foundation Mail Security for MS Exchange

Determine whether your own domain has been added to the Sender White List

1. In the SMSMSE Console, go to Policies > Antispam > Blacklist and Whitelist.
2. In the “Allowed Senders” box, verify the list and make sure that your own domain is NOT listed.
3. In the “Unfiltered Recipients List” box verify the list and make sure that the email addresses that are receiving spoofed messages and spam are NOT listed.
4. If you have made changes, be sure to click the Deploy Changes button to save.

Ensure all reputation services are enabled

1. In the SMSMSE Console, go to Policies > Antispam > Premium AntiSpam Settings.
2. Under “Reputation Services” verify that all items are selected.

Create a content filtering rule to block outside emails claiming to be coming from your domain
Title: 'Walkthrough: Blocking spoofed email in Symantec Mail Security for Microsoft Exchange'
Document ID: 2008121815164254
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008121815164254?Open&seg=ent

Submit Copies of the New Spam
See document:

Title: 'Manually submitting spam and false positive messages to the Symantec Security Response Center'
Document ID: 2005012415180263
> Web URL: http://service1.symantec.com/support/ent-gate.nsf/docid/2005012415180263

Content Filtering Rules
See the Symantec Mail Security for MS Exchange Implementation Guide (PDF – 2.18 mb) for details on how to create a Content Filtering Rule.

Options in Microsoft Exchange

Note: The following information was added for convenience only, questions concerning the steps in the following section should be directed to Microsoft.

Verify the messages are not being safelisted by Exchange 2007
Title: 'Premium Anti-spam fails to detect spam or performs poorly on Windows Server 2008 Small Business Edition.'
Document ID: 2009102910285954
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009102910285954?Open&seg=ent

Create a sender policy framework (SPF) record for the IP addresses within your domain and enable authentication via SPF records for your own domain.
(This is an option if messages from your own domain come from IP addresses other than the ones you manage, in your network.)

Confirm that the SPF records for these IP addresses have been properly configured by your domain's DNS administrator.
Then you can enable SPF checking for your domain.

Refer to the following Microsoft articles for details:

Microsoft Exchange 2003:
http://www.msexchange.org/tutorials/Configuring-enabling-Sender-ID-filtering-Exchange-2003-SP2.html

Microsoft Exchange 2007:
http://technet.microsoft.com/en-us/magazine/cc160870.aspx

Alternatively, remove the ms-exch-smtp-accept-authoritative-domain-senders permission from "NT Authority\Anonymous Logon" on the Receive Connector that accepts inbound internet mail.

Refer to the following document:

HOW TO: Prevent annoying spam from your own domain http://exchangepedia.com/blog/2008/09/how-to-prevent-annoying-spam-from-your.html


Options in other Symantec software
Create a compliance rule to reject sender's envelope address containing your domain address in Symantec Gateway Security (SGS) products:
http://service1.symantec.com/support/ent-gate.nsf/docid/2006011909512654

References:
Title: 'FAQ: Spoof email'
Document ID: 2004052710202154
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2004052710202154?Open&seg=ent

Symantec Mail Security for MS Exchange Implementation Guide (PDF – 2.18 mb)
ftp://ftp.symantec.com/public/english_us_canada/products/sym_mail_security/5.0_mse/manuals/sms_imp_guide.pdf

Document ID: 2008121815234654
Last Modified: 12/02/2009
Date Created: 12/18/2008
Operating System(s): Windows 2000 Server/Advanced Server/Data Center SP4, Windows Server 2003 Standard/Enterprise/Data Center (no SP required), Exchange 2000 Server SP3/Enterprise Server, Exchange Server 2003/Enterprise Server
Product(s): Symantec Mail Security 5.x for Microsoft Exchange, Symantec Mail Security 6.0 for Microsoft Exchange
Release(s): 5.0 [All Releases], MSME 5.0 [All Releases], SMSMSE 6.0 [All Releases]

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements