IT Consultant Group

Expand all | Collapse all

Outbound mail spoofing

  • 1.  Outbound mail spoofing

    Broadcom Employee
    Posted 04-01-2014 02:45 AM

    Dear ALL,

    We are facing an issue of outgoing mail spoofing,

    example:

    Genuine outgoing mail domain: @mycompany.com

    Spoof outgoing mail domain: @Microsoft.com

     

    We wanted to block those spoof mails on SMG which are going outside other than @mycompany.com.

    Thanks in advance.

     

    Pravin Loke



  • 2.  RE: Outbound mail spoofing

    Posted 04-02-2014 04:24 AM

    If either the recipient or sender domain is not part of your environment, the SMG should not relay it.  That is the definition of an open relay.  Please refer to the below best practice article for configuration pointers and testing for open relay:

    http://www.symantec.com/docs/TECH122730

    Assuming the mail is not actually being routed via your SMG, but rather is just being sent out directly, I'd personally start with amending your FW rules and go from there to be honest.  What I mean is:

    • only your mail server(s) is/are allowed to send mail out via the the SMG, and
    • that only the SMG is allowed to send mail out at all, so that
    • only authorised devices can send out mail

    I'd also recommend checking out the logs on your FW to determine if anything other than your mail server is connecting out on port 25, and to find out why they are doing so (i.e. is it infected, is it a legitimate mailer process that has been hijacked to spoof mail, etc).