Brightmail Antispoofing

By | May 7, 2017

There has been a rise in the number of instances of email addresses being spoofed. A new technique of masking the sender address by adding a “direct reply to” address, has increased the likelihood that a user will be fooled. The real sender address can only be detected when the user hits reply, at which point the new address is revealed in the Too field. If the users forwards the message  masked when the message is forwarded. There are instances where emails addresses are spoofed for legitimate reasons, such as when marketing email is sent from a 3rd party, which makes blocking messages a bit tricky. To address this issue we will be using a new rule in Brightmail.

The rule will prepend the subject with “[Caution: Sender is forged]”. To update it:

    1. Content>Resources>Dictionaries>Create a dictionary
      1. Name “! Client domain”
      2. Add all domains scanned by Brightmail EXCEPT the client’s own domain
    2. Content>Policies>Email> Warning: Spoofed address>Add the following 2 rules
    3. Nest the 2nd rule by selecting both new rules and clicking (X&Y)
If text in From: address part of the message contains 1 or more occurrences of “it-authority.com”
AND If text in Envelope recipient part of the message header does not contain Domain name from dictionary “! IT-authority.com”

The above rule filters all messages from it-authority.com with the exception of messages sent to domains in the dictionary “! it-authority”(all scanned domains other than it-authority.com). When adding new clients to Brightmail all dictionaries will need to be updated with the new domain.