Block Internal Domain spoofing from External? 1

[scanjam]

somehow we have external users able to spoof our email address of domains@'domainname'.com.au and send this to us internally.

How do we block this, so that only poeple sending on behalf of @domainname.com.au are only coming from our internal IP range?

Cheers
SCANJAM

 

[BenChristian]

Unless you use PTR record lookups for all senders, you can't avoid spoofing. Note that if you do enable PTR lookup you'll be rejecting a lot of senders who haven't registered PTRs for their mail servers.

http://www.benchristian.com

 

[scanjam]

so there is nothing in exchange to accept everything from loacaldomain to its own local domain from itself only?

Thats frustrating.

PTR's may be the way to go... *sigh* its hard to get the happy mix... what about RBL's, do you have any suggested RBLs that you use? we only have one at present which is spamhaus.org, but doesnt seem to be working... we have added reverse DNS lookups and the connection filter of spamhaus.

DO you know of any other RBL's that would be good to add that actually are useful


Cheers for your quick reply!
SCANJAM

 

[BenChristian]

I'm not the biggest fan of RBL's. One of our mail servers was recently added to the spamcop database because of our mail server was sending NDR's to spoofed addresses. In other words, a spammer spoofs the sender address of a message that is send to a recipient that doesn't exist at our domain, so our Exchange server server sends an NDR to the spoofed address. According to Spamcop, the message is unsolicited, therefore our mail server is effectively sending spam.

We're looking at using LDAP lookups from our mail gateway to avoid our Exchange servers sending NDR's and combat this problem (If we drop the message at the connection level, then the sender server will send an NDR, rather than having our gateway accept the message and then pass it on to Exchange who then NDRs). We're also looking at using PTR lookups so that we can avoid receicing spoofed messages and therefore avoid sending NDRs to spoofed addresses, but we have a lot of very small agents that we receive mail from, and I'm fairly sure that a lot of these won't have PTR records for their mail servers.

In short, I have mixed feelings about RBLs. We used to use one but it didn't seem to reduce the ammount of spam we received. If you do choose to go with an RBL, make sure that it is reputable; we were once added to a database for an unknown reason and were asked to pay a sum of money to be removed. We didn't pay, and found another way to send to the recipient.

Ben.

http://www.benchristian.com

 

[scanjam]

great advice ben, thanks for the reply, appreciate you rcomments and input..

 

[blakey2]

Hi,

We use GFI MailEssentials. It will allow you to block e-mail from a domain, so you could in essence block your own domain, but that would be no good if you had external users with POP accounts, sending e-mail through a different mailserver - for example if their ISP only allows them to send e-mail using the ISP mailserver.

Otherwise in relation to RBL, it has the option to send or not to send NDR's.

I read something recently that suggested that blocking based on RBLs was no longer an effective method to combat SPAM as the lifetime of the spamming domain was on average four hours or less? (Might be an incorrect reccolection though).

Not trying to be a sales rep, but we are quite happy with GFI. They have multiple filters and between them we get little spam and few false positives. The fact that it logs all e-mail sent and received has been particularly useful in settling some minor disputes whereby external sources claim to have sent us e-mail, when in fact they never did, or they sent it to the incorrect addresses etc.

Cheers.