Some spammers fake the 'FROM:' email address and change this to the same domain as the recipient to make it appear as if the email is coming from a local user.
Such emails with forged sender information can sometimes pass through the anti-spam checks and make it to the user's mailboxes. This usually happens when the Sender Policy Framework (SPF) Anti-Spam filter is not configured correctly or when you have all addresses from the local domain the Whitelist.
The Anti-Spoofing filter checks emails received with a sender email address claiming to originate from your own domain against a list of IP addresses known by MailEssentials. If the sender IP address is not on the list of own-domain server IP addresses, the email is blocked as the sender information is forged.
GFI MailEssentials can be configured to effectively block Spoofing emails as follows:
Note: Ensure that the 'Sender Policy Framework' filter is configured to run at a higher priority than the 'Whitelist' module, since if the sending server is not authorized to send on behalf of that domain the email is likely to be spoofed. Confirm that the desired Spam Actions for both Anti-Spam filters have been correctly set as explained in Configuring MailEssentials Spam Actions.
To modify the filter priorities perform the following:
- Open your GFI MailEssentials Configuration.
- Expand the Anti-Spam node.
- Navigate to the Filter Priority node.
- Ensure that the Sender Policy Framework module has a higher priority than the Whitelist module.
- Ensure that the email address from which you are receiving the spoofed emails from is not listed within the Whitelist as MIME From: You can confirm this by performing the following:
- Open the GFI MailEssentials Configuration
- Expand the Anti-Spam node
- Click on Whitelist
- Check if the email address is listed from the Whitelist tab. If the email address is defined as MIME From, select it and click the Remove button to remove the entry.
- Adding your local domain to the blacklist is intended when internal emails are not passing through GFI MailEssentials. In a normal email setup, internal emails will not be passing through GFI MailEssentials.
- You should not add your local domain to the blacklist if GFI MailEssentials is installed on the same machine as Microsoft Exchange server and local users are using an SMTP client (e.g. Outlook Express) to send their emails to internal recipients.
Emails originating from forged senders should be correctly filtered and appropriate actions taken as per the configuration.
- How to determine why the Anti Spoofing spam filter blocked or allowed a message
- How to determine why the Sender Policy Framework spam filter blocked or allowed a message
- GFI MailEssentials - Best Practices for Spam filters