How to block a spoofed Spam with the same From and To email address using our custom policy filter

03/26/2020 1064 11081

DESCRIPTION:
How to block a spoofed Spam with the same From and To email address using our custom policy filter

RESOLUTION:

Introduction

You may find yourself receiving spoofed spam messages where the same local email address is being used for both the From: and To: fields in the message. This could also be found in the return path within the message header itself. In some cases, removing the entry from the (corprate or peruser) allowlist may not prevent the entry from readded to the allowlist. (Please refer to KB: 5585). Or if the administrator finds himself with too many users where this scenario is taking place, that it may not be the most effective process in adressing the issue as sorting through all the affected users may prove to be a lengthy process.  If this is the case, it may be beneficial to leverage policy filters or dictionary policies (if you host for many domains) to help combat the spoofed spam issue you are experiencing.

(Please note: This article is to help address the spoofed spam issues only. If you have a managed server outside of your local aread network that legitimately creates inbound mail traffic where the sending address will be one of your accepted domains, you will need to create exceptions to this policy filter. This policy filter can affect remote users depending on where their managed servers sits, so proceed with caution. As long as the managed server is on the local area network, this policy should be fine).

Resolution or Workaround

Looking at the headers we would see that the message many times has this line.

Return-Path: johnsmith@domain.com

From: "Some Name" <johnsmith@domain.com>
To: "Your Name" <johnsmith@domain.com>

X-Mlf-Threat-Detailed: nothreat;none;none;list_addrbk_sender

This indicates that the user has their own email address in their allowed list.

Under Manage | Policy & Compliance | Filters | Inbound there is an option to ADD NEW FILTER.

The sample will look as follows:

Be sure to place this policy filter in the order of precedence desired as the filters list will process in the order listed.

If you have multiple domains that you would like to implement this for, you may wanto leverage your Dictionaries. This is only available to you if you have a current Compliance subscription enabled through your mysonicwall.com account.

First create the dictionary with the relevant domains you are currently hosting and filtering for. This can be found in Policy & Compliance > Compliance Module > Dictionaries:

Next, add your domains to the dictionary:

Now go ahead and go back to the Filters to create the spoofed policy filter. It is found by going to Policy & Compliance > Filters. When configuring the filter this time, simply point it to look at the dictionary you just created.

NOTE:  This article is applicable to all versions and platforms of Email Security.