Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 2323 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Domain Spoofing

Mark Moore1

Hello,

I wanted to find out if we can just add our own domain to a rejected group on the firewall incoming rules in order to combat spoofing? I know we are getting lots of crud from the qq.com domain and they are sending it from our own users. What's more they seem to be using our own internal server IP. No doubt gleaned from other automated replies. This is creating a new looping type of problem that sends the rejection to our internal users. It's like they are trying to use other bounce back rules to create more chaos.

First; we NEED to be able to block incoming mail FROM our own domain.

Second; we can't seem to stop the constant flood on email from the qq.com domain. Specially when it is from our own users address.

Third; I can clearly see that they are sending to the internal server address. Shouldn't it at least stop that?

** Note; I still wanted to know if it is possible to add your own domain to a list of rejected FROM Domains.

I want to add *@ourdomain.com to a rejected rule that runs before the SMTP rule for inbound mail.

We already have a rule before the SMTP to block other ugly things. Since the firewall can't seem to understand that email from our domain outside is wrong, will this help?

Thanks,

Mark



This thread was automatically locked due to age.
  • 0

    First of all, you can start with SPF. This will block some of this traffic (V17.5 plus DNS Configuration).

    There are currently only Central Email and Email Appliance / Pure Message, which can detect this kind of Spoofing.

    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/17259497-e-mail-spoofing-protection

    This would be the matching Feature Request. 

     

    The point is, there are two kind of spoofing.

    FROM and envelope-From Spoofing. 

    One is the Data part, the other is the sender. 

    XG / SG cannot detect such "data anomalies". 

  • 0 in reply to LuCar Toni

    I will be looking for that 17.5 to hit final release soon. Because nearly all of our clients are waiting for one of the new features included in that version.

    Due to the nature of all those new additions, that might explain all of the bug fixes I have seen regarding it. We have made it a habit of NOT using ANY software that isn't in final release on any client systems. I'm sure you've been around long enough to understand why we would do that. We have also found that even waiting for final release doesn't keep you from having problems.

    Mark