- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to block a spoofed Spam with the same From and To email address using our custom policy filter
03/26/2020 
1,071 People found this article helpful
43,884 Views
Description
How to block a spoofed Spam with the same From and To email address using our custom policy filter
Resolution
Introduction
You may find yourself receiving spoofed spam messages where the same local email address is being used for both the From: and To: fields in the message. This could also be found in the return path within the message header itself. In some cases, removing the entry from the (corprate or peruser) allowlist may not prevent the entry from readded to the allowlist. (Please refer to KB: 5585). Or if the administrator finds himself with too many users where this scenario is taking place, that it may not be the most effective process in adressing the issue as sorting through all the affected users may prove to be a lengthy process. If this is the case, it may be beneficial to leverage policy filters or dictionary policies (if you host for many domains) to help combat the spoofed spam issue you are experiencing.
(Please note: This article is to help address the spoofed spam issues only. If you have a managed server outside of your local aread network that legitimately creates inbound mail traffic where the sending address will be one of your accepted domains, you will need to create exceptions to this policy filter. This policy filter can affect remote users depending on where their managed servers sits, so proceed with caution. As long as the managed server is on the local area network, this policy should be fine).
Resolution or Workaround
Looking at the headers we would see that the message many times has this line.
Return-Path: johnsmith@domain.com
From: "Some Name" <johnsmith@domain.com>
To: "Your Name" <johnsmith@domain.com>
X-Mlf-Threat-Detailed: nothreat;none;none;list_addrbk_sender
This indicates that the user has their own email address in their allowed list.
Under Manage | Policy & Compliance | Filters | Inbound there is an option to ADD NEW FILTER.
The sample will look as follows:
Be sure to place this policy filter in the order of precedence desired as the filters list will process in the order listed.
If you have multiple domains that you would like to implement this for, you may wanto leverage your Dictionaries. This is only available to you if you have a current Compliance subscription enabled through your mysonicwall.com account.
First create the dictionary with the relevant domains you are currently hosting and filtering for. This can be found in Policy & Compliance > Compliance Module > Dictionaries:
Next, add your domains to the dictionary:
Now go ahead and go back to the Filters to create the spoofed policy filter. It is found by going to Policy & Compliance > Filters. When configuring the filter this time, simply point it to look at the dictionary you just created.
NOTE: This article is applicable to all versions and platforms of Email Security.
Related Articles
- Email Security Junk Box & Message Log Update Issues (Y2K22 Bug)
- SonicWall Hosted Email Security FAQ
- Email Security Junk Box & Message Log Update Issues - Y2K22 Bug
Categories
- Email Security > Email Security Appliance
- Email Security > Email Security Software
- Email Security > Hosted Email Security
YES
NO