Configuring Anti-Spoofing Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.Yo2IBgvWqr on Aug 30, 2017
Version 29Show Document
  • View in full screen mode

Spoofing is the forgery of email headers so that messages appear to come from someone other than the actual source. This tactic is used in phishing and spam campaigns because recipients are more likely to open a message that looks legitimate. An Anti-Spoofing policy aims to block these unwanted inbound spoofed messages. 

 

Usage Considerations

 

Consider the following before creating a policy:

  • An Anti-Spoofing policy is recommended for customers who receive large amounts of spoofed mail. This ensures that traffic originating from the internet, but appearing to come from an internal domain, is not allowed inbound.
  • Create an Anti-Spoofing SPF Based Bypass policy for all IP addresses or hostnames that could be considered legitimate "spoofed" traffic and should be allowed through. For example:
    • Messages generated from web servers that hold your domain name.
    • A payroll system that generates messages using an internal email address.
  • If a user adds their email address (or one of the company's internal domains) to their permitted senders list, messages directed to these are be rejected as the anti-spoofing policy is applied first.

 

Configuring an Anti-Spoofing Policy

 

To configure an Anti-Spoofing policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on Anti-Spoofing. A list of policies is displayed.
  5. Either select the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    OptionDescription
    Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
    Select Option

    Select whether to apply Anti-Spoofing, Anti-Spoofing (excluding Mimecast IP ranges) or take no action.

  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are:
    OptionDescription
    The Return Address (Mail Envelope From)This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    The Message From Address (Message Header From)Applies the policy based on the masked address used in the message's header.
    BothApplies the policy based on either the Mail Envelope From or the Message Header From, whichever matches. If both match the specified value the Message Header From is used.
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    OptionDescription
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached.
    Set Policy as PerpetualIf the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires.
    Date RangeUse this field to specify a start and / or end date for the policy. If the Eternal option are selected, no date is required.
    Policy OverrideThis overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override.
    Bi-DirectionalIf selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.
An Anti-Spoofing policy that is applied from the Return Address (Envelope from Address) can only be negated by a Take No Action policy which is also applied from Return Address (Envelope from Address). This logic also applies to the Message From Address (Header From Address).

Example Policies

 

The "Source IP Ranges (n.n.n.n/x)" option can be used to exclude the Mimecast IP ranges (see below). We recommend using this to decrease the chances of false positive identification of legitimate messages. In this instance, a bypass policy can be created to allow messages from certain IP addresses or hostnames, even though they appear as typical spoofed emails. You can configure all other spoofed emails to be blocked.

 

Anti-Spoofing Policy to Allow Spoofing Based on IP

 

  1. In the Select Option field select Take No Action.
  2. In the For Emails From and For Emails To sections, set the Applies From and Applies To fields to Everyone, as IP addresses/Hostnames are going to be used as the source of the emails. For more information on the application of the FROM and TO variables, view the full article on Policy Specificity.
  3. In the Policy Validity section select the Policy Override option. This will ensure that this policy is applied before the Block policy. For more information, view the full article on Policy Validity.
  4. Enter the list of IP addresses (or hostnames) to apply the bypass to in the Source IP Ranges box in CIDR notation.
  5. Enter the list of hostnames to apply the bypass to in the Hostnames box. The policy only applies when the hostname matches the IP address used by the sending server. We will confirm when this is the case.
  6. Click Save and Exit.
If a combination of IP addresses and hostnames is specified, the policy is applied if the inbound mail comes from either one of the specified IP addresses or hostnames.

Anti-Spoofing Policy to Block Unwanted Spoofed Emails

 

  1. In the Select Option field select Apply Anti-Spoofing. It is recommended to select the Apply Anti-Spoofing (Exclude Mimecast IPs) option.
  2. In the For Emails From section, select the applicable internal domains that you wish to block spoofs from. For more information on the application of the FROM and TO variables, view the full article on Policy Specificity.
  3. In the For Emails To section, select the Internal Addresses option.
  4. Complete the Policy Validity section. Do not check the Policy Override option for this policy. For more information, view the full article on Policy Validity.
  5. Click Save and Exit.
To ensure that anti-spoofing policies don't block sender / callback verification requests that remote MTAs might utilize, don't configure Anti-Spoofing policies that apply to messages with the From and To variables set to Internal. Messages rejected by the Anti-Spoofing policy can be seen in Monitoring | Rejections, and will have the type set to anti-spoofing. 

See Also...

 

6 people found this helpful

Attachments

    Outcomes