How to block a spoofed Spam with the same From and To email address using our custom policy filter
03/26/2020 
1066 
12606
DESCRIPTION:
How to block a spoofed Spam with the same From and To email address using our custom policy filter
RESOLUTION:
Introduction
You may find yourself receiving spoofed spam messages where the same local email address is being used for both the From: and To: fields in the message. This could also be found in the return path within the message header itself. In some cases, removing the entry from the (corprate or peruser) allowlist may not prevent the entry from readded to the allowlist. (Please refer to KB: 5585). Or if the administrator finds himself with too many users where this scenario is taking place, that it may not be the most effective process in adressing the issue as sorting through all the affected users may prove to be a lengthy process. If this is the case, it may be beneficial to leverage policy filters or dictionary policies (if you host for many domains) to help combat the spoofed spam issue you are experiencing.
(Please note: This article is to help address the spoofed spam issues only. If you have a managed server outside of your local aread network that legitimately creates inbound mail traffic where the sending address will be one of your accepted domains, you will need to create exceptions to this policy filter. This policy filter can affect remote users depending on where their managed servers sits, so proceed with caution. As long as the managed server is on the local area network, this policy should be fine).
Resolution or Workaround
Looking at the headers we would see that the message many times has this line.
Return-Path: johnsmith@domain.com
From: "Some Name" <johnsmith@domain.com>
To: "Your Name" <johnsmith@domain.com>
X-Mlf-Threat-Detailed: nothreat;none;none;list_addrbk_sender
This indicates that the user has their own email address in their allowed list.
Under Manage | Policy & Compliance | Filters | Inbound there is an option to ADD NEW FILTER.
The sample will look as follows:
Be sure to place this policy filter in the order of precedence desired as the filters list will process in the order listed.
If you have multiple domains that you would like to implement this for, you may wanto leverage your Dictionaries. This is only available to you if you have a current Compliance subscription enabled through your mysonicwall.com account.
First create the dictionary with the relevant domains you are currently hosting and filtering for. This can be found in Policy & Compliance > Compliance Module > Dictionaries:
Next, add your domains to the dictionary:
Now go ahead and go back to the Filters to create the spoofed policy filter. It is found by going to Policy & Compliance > Filters. When configuring the filter this time, simply point it to look at the dictionary you just created.
NOTE: This article is applicable to all versions and platforms of Email Security.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
