Syed Jahanzaib Personal Blog to Share Knowledge !

July 13, 2016

Fighting with Spoofed Emails in IBM Lotus Domino using Symantec SMSDOM

Filed under: IBM Related — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:30 AM

s1

From the Diary / 12th July, 2016

We are using Symantec IBM lotus Domino as our mailing system for inbound/outbound emails & Symantec Mail Security as anti-spam mechanism. Managing heavily used production email server & fighting with the spam is a really tough job to do and requires continuous monitoring and most times requires additional work to do on regular basis.

From past few days, our email users were receiving lot of spoofed (faked advertisement / malware) emails pretending to be coming from there own email address and sometimes other legitimate users as well.. Subject was different every time , and source was dynamic too in the header. It was really annoying as user does not wants to block his email address in filters.

E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Example you can receive email pretending to be coming from your own email address, strange and annoying as well too.

Adding SPF record is a good idea and every mail server mx record should have it. However I took another route which is a kind of workaround BUT at least it’s working amazingly good for me !.

Just to share my story. / z@ib

 

I made following rule in SMSDOM Content Filter Rules Section.

Description: BLOCK SPOOFED EMAILS RULE

Classification: Compliance Rule

This rule is for: Email Routing

Flow: Inbound

This rule is applied: Conditionally

Condition: Unless

Attributes: Sender/Author > myself@mycompany.com
[Exempt my few local servers email ids that are used to send backup/alerts emails to admin via using batch scripts]

Rule Expression: if Internet Domain Contains MYCOMAPNY.COM

Action: QUARANTINE the Document

Save the rule.

 

Images of rules,

1

2

3

4

 

End Results:

🙂 & now I can see many spoofed emails dropping in  the quarantine box and user’s inbox is clean and shiny.

spoofed_results_in_smsdom_quarantine

 

TIPS:

Test Spoofing

To test sending spoofed email, you can use following web site to do so ..

https://www.wormly.com/test_smtp_server

 

SPF RECORD: / zaib

To make SPF record on the DNS server, you can use following syntax

v=spf1 mx ip4:1.2.3.4 -all

Above record will allow all your MX records + IP 1.2.3.4 to send email from your domain, everything else is prohibited. But the mail servers or relays must support SPF protocol.

Or if you have two ISP links for primary and secondary mx, (two ip addresses), You can use following

v=spf1 mx ip4:1.2.3.4 ip4:5.6.7.8 -all

whereas 1.2.3.4 , 5.6.7.8 are the Public ip address of your email server.

OR something like

spf1

In above image, 1.2.3.4 is primary internet link IP for email server, and 5.6.7.8 is seconday backup internet link IP , so I added both in the record.

Regard’s

Syed Jahanzaib

 

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this: