Syed Jahanzaib Personal Blog to Share Knowledge !

July 13, 2016

Fighting with Spoofed Emails in IBM Lotus Domino using Symantec SMSDOM

Filed under: IBM Related — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:30 AM

s1

From the Diary / 12th July, 2016


We are using Symantec IBM lotus Domino as our mailing system for inbound/outbound emails & Symantec Mail Security as anti-spam mechanism. Managing heavily used production email server & fighting with the spam is a really tough job to do and requires continuous monitoring and most times requires additional work to do on regular basis.

From past few days, our email users were receiving lot of spoofed (faked advertisement / malware) emails pretending to be coming from there own email address and sometimes other legitimate users as well.. Subject was different every time , and source was dynamic too in the header. It was really annoying as user does not wants to block his email address in filters.

E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. Example you can receive email pretending to be coming from your own email address, strange and annoying as well too.

Adding SPF record is a good idea and every mail server mx record should have it. However I took another route which is a kind of workaround BUT at least it’s working amazingly good for me !.

Just to share my story. / z@ib

 

I made following rule in SMSDOM Content Filter Rules Section.


Description: BLOCK SPOOFED EMAILS RULE

Classification: Compliance Rule

This rule is for: Email Routing

Flow: Inbound

This rule is applied: Conditionally

Condition: Unless

Attributes: Sender/Author > myself@mycompany.com
[Exempt my few local servers email ids that are used to send backup/alerts emails to admin via using batch scripts]

Rule Expression: if Internet Domain Contains MYCOMAPNY.COM

Action: QUARANTINE the Document


Save the rule.

 

Images of rules,

1

2

3

4

 


End Results:

🙂 & now I can see many spoofed emails dropping in  the quarantine box and user’s inbox is clean and shiny.

spoofed_results_in_smsdom_quarantine

 


TIPS:

Test Spoofing

To test sending spoofed email, you can use following web site to do so ..

https://www.wormly.com/test_smtp_server

 

SPF RECORD: / zaib

To make SPF record on the DNS server, you can use following syntax

v=spf1 mx ip4:1.2.3.4 -all

Above record will allow all your MX records + IP 1.2.3.4 to send email from your domain, everything else is prohibited. But the mail servers or relays must support SPF protocol.

Or if you have two ISP links for primary and secondary mx, (two ip addresses), You can use following

v=spf1 mx ip4:1.2.3.4 ip4:5.6.7.8 -all

whereas 1.2.3.4 , 5.6.7.8 are the Public ip address of your email server.

OR something like

spf1

In above image, 1.2.3.4 is primary internet link IP for email server, and 5.6.7.8 is seconday backup internet link IP , so I added both in the record.


Regard’s

Syed Jahanzaib

 

5 Comments »

  1. Hello, i found this topic because im looking for any help by configuring ibm domino server.
    Could you please help me to stop spam mail coming with our domain name? we have configured spf records but seems like allot of spam still coming from outside IP’s . Sure there would be no problems , but nowadays we have very stupid and pointless dns blacklisters like spamhaus. Everyday we a getting blacklisted few times by this tool, and im getting freaked out solving this problem… I even tryed to contact spamhaus, to create some spf records, that no mail could pass by diferent IP address…
    Could you please text me back to domasaraminas@gmail.com?

    Like

    Comment by Domas Araminas — November 12, 2018 @ 10:51 PM

    • We faced this issue a lot in the past, we had symantec mail security for domino , spf, and lot of other things in place but no use,
      Finally we acquired Barracuda antispam hardware device, & it sorted this issue as there antispam db is great ., now we are in peace 🙂

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — November 13, 2018 @ 8:11 AM

      • Wow, nice to hear that you had same problems, lol.
        Maybe there is some way to get similar effect from fortinet firewall?

        Like

        Comment by Domas Araminas — November 13, 2018 @ 12:15 PM

      • And wow – baracuda antispam device cost 2k USD . I really need less expensive solution…

        Like

        Comment by Domas Araminas — November 13, 2018 @ 12:21 PM

    • One more thing – can free vpn client leak our IP ? Im asking because ive find out that few guys in my office using opera (opera’s vpn and one other) to by pass fortigate firewall and visit websites?

      Like

      Comment by Domas Araminas — November 13, 2018 @ 11:32 PM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: