Blocking mails with bogus sender domain
iQ.Suite Tips & Tricks for IBM Domino
SMTP mails can be configured and manipulated in a vast number of ways. By now it is unlikely that any
spammers still send emails under their own email address. iQ.Suite has several functions that enable you
to recognise these fake or spoof mails as spam and filter them out of your mailbox.
Emails that have the recipient’s own SMTP domain as the sender domain are easy enough to check. If this
is found to be the case, the mail is likely be a spam mail with a faked sender address. To understand this
and to put it to good use, we must first look at how iQ.Suite works:
All address information from an email (i.e. sender and recipient addresses) are transferred to the NAB
prior to verification. Here, an attempt is made to find the appropriate entry and "normalise" it. An email
with the original SMTP recipient address "[email protected]" then becomes "domino
admin/training@training". This shows that someone in the NAB has the above SMTP mail address.
In the case of the sender, the original address is typically the sender’s common name, e.g. "CN=Domino
Admin/O=training@training". Again it is normalised: the address that has to be compared is then
"domino admin/training@training".
So no email from an internal user will normally ever come with an SMTP address. From
"[email protected]" is not possible. Here again, we are assuming a standard architecture and that
internal emails are sent as Notes mails.
In some environments this does not fully apply, or only applies to some extent. In these cases, the
following steps will produce undesirable results! If you are not sure whether all internal emails are
sent in Notes mail format, you should not execute the following configuration steps without
obtaining advice first from one of our consultants!
Emails that claim to come from our own SMTP domain are therefore typically spam. They are relatively
easy to filter out. This is achieved using the same mechanism that we described in our September 2008
Tips & Tricks:
To block emails from senders who have your own SMTP domain, proceed as follows:
Configure a "Spoofed Sender" mail address rule (Global - Mail Rules - New):
Sender - in sender list
Sender condition - contained
Sender list - ~*@training.local
Instead of training.local you must of course enter your own SMTP domain.
Here it is important to remember the tilde ~!
Configure a basic wall mail job (Wall – Mail Jobs - New - Wall Mail Job):
Basics
Priority: Set the priority as required for your environment. This job can run relatively
"early" with the anti-spam jobs, and certainly after the virus scan.
Runs on: Selected mails
Click on Selection under Edit Rules and add the Spoofed Sender rule to the list of positive
rules (top pane).
Valid for senders: All
Operations - Denied Recipients
Action on alarm: Delete mail
Category in quarantine report: spoofed (or SPAM)
List of recipients: All in list: *@*
Misc
Quarantine configuration: DEFAULT - Quarantine configuration
You can leave all the other settings as they are set by default in the job.
Now you can activate the job and test it. Write a fake email with one of your company’s SMTP sender
addresses. Immediately after the email arrives, you will find it in the quarantine database under the
category "spoofed" (or "SPAM"). You should also write an email with valid sender data and one from
inside the company in order to check that they do get delivered.
Please note that our Support staff can only answer questions about configuring iQ.Suite. You will find
further information on SMTP, mail client and domino server settings, etc. in the documentation on the
Internet or can obtain it from the manufacturer. Our training courses provide some background
information on SMTP and its mechanisms, show why one job functions with certain settings and describe
numerous additional methods of effectively combating spam.
Come and see. We look forward to your visit!
Powered by TCPDF (www.tcpdf.org)