replies to spoofed email adresses. (alot)

[AeonNL]

I'm sure you've seen it. Somebody on the internet gets infected with an mass-mailer virus, and uses a spoofed adress to spread itself. All e-mails that are generated because of that mass-mailer will be sent to the adress that the virus used as reply adress.

The original owner of that mail adress will start to receive non-delivery receipts, complaints from other users to stop sending viruses, and replys from servers that stripped the virus from that mail. (then the user panic's and calls the helpdesk)

But in my case... I receive several thousands of those e-mails every day. We have many users (30.000+) so theres alot of adresses that are being spoofed.

As this e-mail is not spam, it's very difficult to set mime-sweeper filters for these types of e-mail. It's a manual job for each virus.

I wonder...

Im sure I'm not the only one with this problem. How do you deal with these problems?

any tips/suggestions?

 

[VinceWhirlwind]

The first thing to do is to trap spoofed emails.

Create a new Scenario folder with the route *@yourdomain TO *@yourdomain.
In it, create a Classifier which sends all mail to Rubbish.

(Genuine internal TO internal mail will not be going through your MSW).

Then, you would need to create a subfolder of Incoming which has the Route *@* TO LDAP address list.
Now, all mail going to that new sub-folder can be processed normally, while any mail just going to Incoming can be classified as rubbish.