Jump to content


Photo

Sender domain "appears" to be same as recepient do


This topic has been archived. This means that you cannot reply to this topic.
10 replies to this topic

#1 jlatulip

jlatulip
  • Members
  • 6 posts

Posted 01 March 2010 - 11:34 AM

Good day,We occasionally receive emails in which the sender email address is the same as the recepient address. Upon looking in the logs I can see that in fact it is not (of course), but it confuses the end users. Question: How does the sender manipulate the email to appear as though it comes from the recepient, and how can I block their delivery?Thanks,- Joe

#2 steve

steve
  • Members
  • 337 posts

Posted 01 March 2010 - 03:38 PM

> ehlo your.com> mail from: you@your.com> rcpt to: you@your.com> dataHave a great day!.As far as blocking - turn on "sender spoof protection". And never whitelist your own domain.

#3 DavidG

DavidG
  • Members
  • 2 posts

Posted 01 March 2010 - 07:04 PM

You may want to look at Sender Policy Framework AKA SPF.

#4 julian v

julian v
  • Members
  • 0 posts

Posted 02 March 2010 - 01:16 AM

forging reply-to or sender addresses is simple as smtp does not provide a means to authenticate this info.If you want to prevent this from happening, setup SPF filtering on your barracuda, and setup the correct SPF DNS records for the domains you are supporting. To find our more about spf start with the wiki - http://en.wikipedia.org/wiki/Sender_Policy_Framework

#5 Cuda Admin

Cuda Admin
  • Members
  • 341 posts

Posted 02 March 2010 - 11:35 AM

SPF is awesome but it won't help the original poster with him receiving forged froms being sent TO his Cuda. He needs Sender Spoof Protection on the Cuda.Not sure where it is on the new firmware but on the 3 versions on the 'Advanced tab set Sender Spoof Protection' to Yes. A word of caution, many 'legit' senders do spoof the from address. Amazon for example uses the buyers address at the from when they send you receipts and the like. So you will end up blocking that stuff. We just say tuff, don't send email to us with OUR user in the from address and we can get away with that, but your situation might be different.

#6 DavidG

DavidG
  • Members
  • 2 posts

Posted 04 March 2010 - 05:36 PM

TerryGuld is right SPF applies both to people receiving your email (they may check it for their spam filtering), and your barracuda receiving email claiming to be from your domain but being sent from a computer out side your network.Personally I recommend only setting SPF to TAG if you do enable it, as some companies incorrectly set their records.

#7 kwyrick

kwyrick
  • Members
  • 10 posts

Posted 18 March 2010 - 04:53 PM

If an spf record is setup properly (ending with "-all" and not "~all"), it should certainly help with receiving forged from addresses TO his cuda.He would need to turn on spf checking on his cuda (block/accept -> sender authentication) once the spf record is in place.His cuda will then compare the connecting server to those allowed to send for his domain, and reject those not authorized.Sender Sppof Protection is a slightly more simplistic solution to the same problem, with the drawbacks of not being nearly as fined grained (whole box via per domain*) and it doesn't help if someone is spoofing your domain to a third party.* I have not had the chance to test sender spoof protection under 4.0 yet, so I'm not sure if it still inhibits mail across multiple domains on a cuda in the same way it did under 3.5

I don't know about anyone else but I see this from time to time. I have spf checking enabled, my domains are NOT whitelisted and I still see forged messages making it thru. Not often but enough that I am looking at another product.

#8 pcsdps

pcsdps
  • Members
  • 2 posts

Posted 11 June 2010 - 04:57 PM

I have Sender Spoof Protection turned on but have a few users whose email is forwarded to my domain from another domain they use outside my network, so their 'from' domain is the same as their 'to' domain and they are being blocked with the reason 'sender spoofed'. How can I bypass the Sender Spoof Protection only for them?Thanks.

#9 pcsdps

pcsdps
  • Members
  • 2 posts

Posted 14 June 2010 - 01:45 PM

Here's why...I have a person on two totally separate domains on two totally separate networks, call them A and B, with an email address on each one; @a.com and @b.com.All their email needs to end up on A, so when an email is sent to their B address we are automatically forwarding it to their A address.Sometimes when they are on A they will 'reply all' to an email that has their B address which will send the email to B, forward it right back to A (causing the from and to email address to be the same) and cause the 'sender spoof' block.

#10 pcsdps

pcsdps
  • Members
  • 2 posts

Posted 17 June 2010 - 11:40 AM

Will whitelisting a sender bypass 'sender spoof' protection? If not is there any way I could add an exemption of some other type for the email address that will bypass sender spoof?

#11 pcsdps

pcsdps
  • Members
  • 2 posts

Posted 17 June 2010 - 11:59 AM

Guess I should have tried this before my last post...I just whitelisted the two email addresses in question and that bypasses the sender spoof protection. I will stick with this solution and see how it goes, but it looks like that's the best way around this.Thanks for your input.