From the Diary / 12th July, 2016
We are using Symantec IBM lotus Domino as our mailing system for inbound/outbound emails & Symantec Mail Security as anti-spam mechanism. Managing heavily used production email server & fighting with the spam is a really tough job to do and requires continuous monitoring and most times requires additional work to do on regular basis.
From past few days, our email users were receiving lot of spoofed (faked advertisement / malware) emails pretending to be coming from there own email address and sometimes other legitimate users as well.. Subject was different every time , and source was dynamic too in the header. It was really annoying as user does not wants to block his email address in filters.
E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Example you can receive email pretending to be coming from your own email address, strange and annoying as well too.
Adding SPF record is a good idea and every mail server mx record should have it. However I took another route which is a kind of workaround BUT at least it’s working amazingly good for me !.
Just to share my story. / z@ib
I made following rule in SMSDOM Content Filter Rules Section.
Description: BLOCK SPOOFED EMAILS RULE
Classification: Compliance Rule
This rule is for: Email Routing
Flow: Inbound
This rule is applied: Conditionally
Condition: Unless
Attributes: Sender/Author > myself@mycompany.com
[Exempt my few local servers email ids that are used to send backup/alerts emails to admin via using batch scripts]Rule Expression: if Internet Domain Contains MYCOMAPNY.COM
Action: QUARANTINE the Document
Save the rule.
Images of rules,
End Results:
🙂 & now I can see many spoofed emails dropping in the quarantine box and user’s inbox is clean and shiny.
TIPS:
Test Spoofing
To test sending spoofed email, you can use following web site to do so ..
SPF RECORD: / zaib
To make SPF record on the DNS server, you can use following syntax
v=spf1 mx ip4:1.2.3.4 -all
Above record will allow all your MX records + IP 1.2.3.4 to send email from your domain, everything else is prohibited. But the mail servers or relays must support SPF protocol.
Or if you have two ISP links for primary and secondary mx, (two ip addresses), You can use following
v=spf1 mx ip4:1.2.3.4 ip4:5.6.7.8 -all
whereas 1.2.3.4 , 5.6.7.8 are the Public ip address of your email server.
OR something like
In above image, 1.2.3.4 is primary internet link IP for email server, and 5.6.7.8 is seconday backup internet link IP , so I added both in the record.
Regard’s
Syed Jahanzaib
Hello, i found this topic because im looking for any help by configuring ibm domino server.
Could you please help me to stop spam mail coming with our domain name? we have configured spf records but seems like allot of spam still coming from outside IP’s . Sure there would be no problems , but nowadays we have very stupid and pointless dns blacklisters like spamhaus. Everyday we a getting blacklisted few times by this tool, and im getting freaked out solving this problem… I even tryed to contact spamhaus, to create some spf records, that no mail could pass by diferent IP address…
Could you please text me back to domasaraminas@gmail.com?
LikeLike
Comment by Domas Araminas — November 12, 2018 @ 10:51 PM
We faced this issue a lot in the past, we had symantec mail security for domino , spf, and lot of other things in place but no use,
Finally we acquired Barracuda antispam hardware device, & it sorted this issue as there antispam db is great ., now we are in peace 🙂
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — November 13, 2018 @ 8:11 AM
Wow, nice to hear that you had same problems, lol.
Maybe there is some way to get similar effect from fortinet firewall?
LikeLike
Comment by Domas Araminas — November 13, 2018 @ 12:15 PM
And wow – baracuda antispam device cost 2k USD . I really need less expensive solution…
LikeLike
Comment by Domas Araminas — November 13, 2018 @ 12:21 PM
One more thing – can free vpn client leak our IP ? Im asking because ive find out that few guys in my office using opera (opera’s vpn and one other) to by pass fortigate firewall and visit websites?
LikeLike
Comment by Domas Araminas — November 13, 2018 @ 11:32 PM