Spoofing is the forgery of email headers so messages appear to come from someone other than the actual source. This tactic is used in phishing and spam campaigns, as recipients are more likely to open a message that looks legitimate. Anti-Spoofing policies are recommended if you receive large amounts of spoofed mail. They ensure external messages appearing to come from an internal domain are blocked.
Consider the following before configuring a policy:
- Create an Anti-Spoofing SPF Based Bypass policy for all IP addresses or hostnames considered legitimate "spoofed" traffic and should be allowed through. For example:
- Messages generated from web servers that hold your domain name.
- Payroll systems that generate messages using an internal email address.
- Anti-Spoofing policies override addresses or domains permitted by users. For example, messages from a domain added to a user's permitted senders list AND an Anti-Spoofing policy are rejected.
- If you want to allow your company domain / email address to bypass the Anti-Spoofing policy, you must specify the internal address / domain that you will allow to be spoofed. In this case, you should not also be listing the external sending address that may also be appearing in the sending header / envelope.
Configuring an Anti-Spoofing Policy
To configure an Anti-Spoofing policy:
- Log on to the Administration Console.
- Select the Administration toolbar menu item.
- Select the Gateway | Policies menu item.
- Select Anti-Spoofing. A list of policies is displayed.
- Either select the:
- Policy to be changed.
- New Policy button to create a policy.
- Complete the Options section as required:
Option Description Policy Narrative Enter a description for the policy to allow you to easily identify it. Select Option
Select whether to apply Anti-Spoofing, Anti-Spoofing (excluding Mimecast IP ranges), or take no action.
- Complete the Emails From and Emails To sections as required:
Field / Option Description Addresses Based On Specify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are: The Return Address (Mail Envelope From) This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission). The Message From Address (Message Header From) Applies the policy based on the masked address used in the message's header. Both Applies the policy based on either the Mail Envelope From or the Message Header From, whichever matches. If both match the specified value the Message Header From is used. Applies From / To Specify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are: Option Description Everyone Includes all internal and external users. This option is only available in the "Emails From" section. Internal Address Includes only internal addresses. External Address Includes only external addresses. This option is only available in the "Emails From" section. Email Domain Enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field. Address Groups Enables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path. Address Attributes Enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop-down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts. Individual Email Address Enables you to specify an SMTP address. The email address is entered in the Specifically field.
- Complete the Validity section as required:
Field / Option Description Enable / Disable Enables (default) or disables the policy. If a date range has been specified, the policy is automatically disabled when the end of the configured date range is reached. Set Policy as Perpetual If the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires. Date Range Use this field to specify a start and/or end date for the policy. If the Eternal option is selected, no date is required. Policy Override This overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override. Bi-Directional If selected, the policy is applied when the policy's recipient is the sender, and the sender is the recipient. Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation. Hostname(s) Enter any required hostname(s) for the policy.When entering a hostname, the domain must have a published DNS record. A check is performed if domains are entered, and you'll be prevented from saving the policy if the check fails.
- Click on the Save and Exit button.
The "Source IP Ranges (n.n.n.n/x)" option can be used to exclude the Mimecast IP ranges (see below). We recommend using this to decrease the chances of false positive identification of legitimate messages. In this instance, a bypass policy can be created to allow messages from certain IP addresses or hostnames, even though they appear as typical spoofed emails. You can configure all other spoofed emails to be blocked.
Anti-Spoofing Policy to Allow Spoofing Based on IP
- In the "Select Option" field select Take No Action.
- In the "For Emails From" and "For Emails To" sections, set the Applies From and Applies To fields to Everyone, as IP addresses/Hostnames are going to be used as the source of the messages. Read the Policy Specificity page for more information on the application of the FROM and TO variables.
- In the Policy Validity section, select the Policy Override option. This ensures the policy is applied before the block senders policy. Read the Policy Specificity page for more information.
- Enter the list of IP addresses (or hostnames) to apply the bypass to in the Source IP Ranges box in CIDR notation.
- Enter the list of hostnames to apply the bypass to in the Hostnames box. The policy only applies when the hostname matches the IP address used by the sending server. We will confirm when this is the case.
Anti-Spoofing Policy to Block Unwanted Spoofed Emails
- In the "Select Option" field select Apply Anti-Spoofing. We recommend selecting the Apply Anti-Spoofing (Exclude Mimecast IPs) option.
- In the For Emails From section, select the applicable internal domains you wish to block spoofs from. Read the Policy Specificity page for more information on the application of the FROM and TO variables.
- In the For Emails To section, select the "Internal Addresses" option.
- Complete the Policy Validity section. Do not check the Policy Override option. Read the Policy Specificity page for more information.