Overview
The Anti-Spoofing Filter is one of the filters in the Anti-Spam chain that works by checking emails received with a sender email address claiming to originate from your own domain against a list of IP addresses known by MailEssentials. If the sender IP address is not on the list of own-domain server IP addresses, the email is blocked as the sender information is forged.
In this article, you will learn how to determine why the Anti-Spoofing engine blocked or allowed a message as part of the troubleshooting process.
Introduction
Anti-Spoofing is an anti-spam filter that is designed to block emails originating from spoofed addresses which are emails from one of the local domains but which were sent from an unauthorized IP address.
There will be scenarios where customers open support requests wanting to understand why the Anti-Spoofing filter blocked or allowed specific messages against their expectations. The next section outlines the troubleshooting process to determine the reason behind the actions taken by this Anti-Spam filter.
Description
- Find the Message-ID of the email in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message ID.
- Navigate to ..\GFI\MailEssentials\AntiSpam\DebugLogs and locate the log file for the Anti-Spoofing module. The debug log filename is ase_antispoofing.gfi_log.txt
- This is the debug log for the Anti-Spoofing Module and corresponds to the GFI MailEssentials > Anti-Spam > Anti-Spam Filters > Anti-Spoofing on the configuration UI as well as the antispoofing_ip_list table in config.mdb.
- Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
- Refer to the scenarios below to determine the reasons behind the action taken by the plug-in. Pay close attention to the lines in bold to understand what happened and why.
>> Load config
Loading enable flag...
Module enabled.
Loading allow authenticated connections flag...
Module will skip processing if message is authenticated.
Loading domains...
No. of local domain entries: [2] - This is the number of domains being scanned. Configuration > General Settings > Settings > Local Domains
Loading all trusted IPs...
>> Load antispoofing IPs
Recordset entry [x.x.x.x] - This is the IPs listed in the module as allowed, if this is blank, there are no IPs listed.
<< Load antispoofing IPs
>> Load perimeter IPs
<< Load perimeter IPs
No. of trusted IP entries: [4] - Total number of entries
<< Load config
If the module is disabled, the log file will indicate:
Antispoofing is disabled... [Disabled]
Once you establish that the Anti-Spoofing configuration was loaded, use the examples below to interpret and determine why the message was either blocked or allowed:
Scenario 1: Email was allowed by the module
Connecting IP [x.x.x.x]
SMTP mail sender address [ham@gfitest.com]
SMTP mail sender domain is NOT associated with a local user account
Message is NOT spoofed
- To block an invalid sender, remove the IP address from the configuration.
- Connecting IP is the IP address of the sending server.
Scenario 2: Email was blocked by the module
Connecting IP [x.x.x.x]
SMTP mail sender address [spam@gfitest.com]
SMTP mail sender domain is associated with a local user account
Message IS spoofed
Stopping ASE chain [2]...
- To allow a valid sender, add the IP address to the configuration.
- Connecting IP is the IP address of the sending server.
Priyanka Bhotika
Comments