Problem

-- spoofing
-- MIME spoofed

This article describes a method of blocking incoming messages from external sources that have spoofed the From sender address to look as if it is from an internal source. Reasons for doing this include:

* Many viruses use spoofing techniques to cause confusion and to propagate themselves
* Spam mail often uses spoofed From headers
* Malicious people may spoof messages to confuse and potentially exploit your end users.

Blocking spoofing has a number of fundamental problems:

* SMTP is not a secure protocol
It is easy for anyone with a basic understanding of SMTP to send mail to anyone, as anyone. There is no accountability
* Some types of spoofing are considered acceptable and necessary
Many mailing lists, such as yahoo groups for example, depend on spoofing. In this case, userA sends a message to the yahoo groups email address. The yahoo groups server then generates a message From: userA and sends that message to all recipients. In this example, userA's email has been spoofed. Another example is a web form that allows you to send a news article or some document, and asks you to fill out the sender address and the recipient address. That way, when the recipient gets the message, they recognize the sender. This is another example of a spoofed message.

The following describes a way to block mail sent from outside your organization to an internal recipient, where the sender From address was spoofed to look like the message originated internally. Besides the malicious forms of spoofing, this will also block:

* Messages from mailing lists destined for your internal domain, where the original sender was also from your internal domain. (The yahoo groups example above)
* Messages generated from web forms where the sender address entered by the user and the recipient address are both from your internal domain, e.g., userA sending a news article to userB at your domain.

To prevent MIME spoofing - configure a new policy which will take care of such messages:

1. Navigate to Mail Policies -\> Policy Objects -\> Tags and create a new tag called "MimeSpoofed"
2. Create a new Inbound Filter Policy
3. Select "Sent From," click on "sent from..." link and select the FROM header and SENDER header, in the text box below list all your internal domains in the form *@yourdomain.com
4. For THEN condition, select "Quarantine" and "Tag Message" with a TAG (from step1)
5. Save the policy.

This policy should quarantine all MIME spoofed messages and you can search for them in Message Tracking by selecting the tag you configured in step 1.

In some cases you may like to allow certain companies to be able to send you emails on behalf of your internal users and in order to allow it, you will have to configure an exception from the policy above.

The exception conditions could vary a lot, but in most cases there will be a list of IPs the sending company is using to send messages.

In this particular case you could edit the policy explained above and navigate to the If conditions tab, Headers, Exceptions. Edit MESSAGE CONTAINS drop down menu, select "Specific Content in the following headers", then select the "Received" header from the "Standard headers" on the same page and at the bottom of the page edit "Any of the following words and phrases" and specify the IP addresses the sending company is using (one per line), hit the Save button.