How do I block SPAM emails that seem to be coming from my domain?

The information in this article applies to:

  • GFI MailEssentials for Exchange/SMTP 10
  • GFI MailEssentials for Exchange/SMTP 11
  • GFI MailEssentials for Exchange/SMTP 12
  • GFI MailEssentials for Exchange/SMTP 14
  • GFI MailEssentials for Exchange/SMTP 9

Article ID: KBID001910

Query keywords: anti-spam, spoof, spoofing

Issue Encountered:

Certain Spam emails fake the 'FROM:' email address, and change this to the same domain as the recipient. This may seem as if it the email is coming from a local user.


Solution: 

GFI MailEssentials can be configured to block such emails as follows:

  • If using GFI MailEssentials 10.1 or a newer version of GFI MailEssentials it is recommended to use the Sender Policy Framework (SPF) filter to block mails coming from spoofed addressed. Detailed information on how to create an SPF record for your domain and configure GFI MailEssentials to block such emails can be found at the following GFI WebCast.

    Note: Ensure that the 'Sender Policy Framework' module is configured to run at a higher priority then the 'Email\Domain\Auto Whitelist' module, since if the sending server is not authorized to send on behalf of that domain the email is likely to be spoofed. To modify your order module priorities perform the following:
    1. Open your GFI MailEssentials Configuration.
    2. Right click on the 'Anti-Spam' node and select 'Order module priorities'
    3. Ensure that the 'Sender Policy Framework' module has a higher priority then the 'Email\Domain\Auto Whitelist' module.
  • Ensure that the email address from which you are receiving the spoofed emails from is not listed within the GFI MailEssentials Whitelist as 'MIME From:'. You can confirm this by performing the following:
    1. Open the GFI MailEssentials Configuration.
    2. Expand the 'Anti-Spam' Node.
    3. Right click on 'Whitelist' and select properties.
    4. You can check if the email address is listed from the 'Whitelist' tab. If the email address is defined as 'MIME From' click the 'Remove' button to remove the entry.

Notes:

  • Adding your local domain to the blacklist is intended when internal emails are not passing through GFI MailEssentials. In a normal email setup, internal emails will not be passing through GFI MailEssentials.
     
  • You should not add your local domain to the blacklist if GFI MailEssentials is installed on the same machine as Microsoft Exchange server and local users are using an SMTP client (e.g. Outlook Express) to send their emails to internal recipients.
     
  • Further information about the Sender Policy Framework (SPF) Check the following knowledge base articles:
    http://kbase.gfi.com/showarticle.asp?id=KBID002347
    http://kbase.gfi.com/showarticle.asp?id=KBID002371

Get the latest SPAM news at AllSpammedUp.com!