Criteria required to work:
The IMSVA only checks two criteria to see if a mail triggers the 'Spoofed internal messages' policy. Firstly that the SMTP sender (RFC5322) and receiver domains are identical (not enough that they are both listed as Internal addresses) and secondly that all MTA IP addresses that mail routes through are not listed in the 'Trusted Internal IP List'.
About:
"Spoofed internal messages" filter validates that email sent from the internal email address and to the internal email addresses was only processed by the internal mail servers. IMSVA blocks all messages if they do not originate from the trusted internal IP address list. This filter triggers only on messages where the sender’s and recipient’s domains are the same.
To enable:
- Create new 'Other' policy.
- Under 'Others' on the 'Select Scanning Conditions' selection screen, select the check box next to Spoofed internal messages.
- Click Spoofed internal messages. The Spoofed Internal Messages screen appears.
- Add IP addresses to the Trusted Internal IP List.
- "All edge MTA IP addresses must be added to this list if the feature is enabled. If the IP addresses are not added to the list, all messages from the edge MTAs that are not added will be blocked."
- Click Save.
The following logs from log.imss.yyyymmdd.xxxx demonstrate very well the triggering if the internal spoofing rule. A point worth noting is that customers may query why the line 'Get 1 IP address from received header' does not match the number of IP addresses they see when they look at the message headers. This is because the anti-spoofing policy does not check the following private IP addresses (10.x.x.x and 172.16.0.0..172.31.255.255 and 192.168.X.X and local IP address 127.0.0.1) detected in the 'Received' headers and does not process them as part of the AntiSpoofFilter.
Log.imss.20190430.0001
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] Running ruleId:12; version:2, numFilters:1, numActions:1
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] [DEBUG]AntiSpoofFilter::parseSendIPFromOneRecvHeader: parse received header string:by ie-test057.test.test (Postfix, from userid 0)id DDDFC11FB0C; Tue, 27 Apr 2019 13:57:42 +0900 (JST)
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] [DEBUG]AntiSpoofFilter::parseSendIPFromOneRecvHeader: parse received header string:from mail.example.com (unknown [1111:2222:3333:444::5555]) by test-test200.ie.test (Postfix) with ESMTPS id A581B13803D for <test@test.test>; Mon, 6 Jun 2016 13:43:08 +0900 (JST)
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] [DEBUG]AntiSpoofFilter::parseSendIPFromOneRecvHeader:get matched string:1111:2222:3333:444::5555
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] [DEBUG]AntiSpoofFilter: Get 1 IP address from received header. 1111:2222:3333:444::5555,
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] [DIAGNOSTIC]AntiSpoofFilter: Not all sender IP in Trusted Internal IP List. Triggered.
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] [DEBUG]in convertUnicodeToString, source.length = 46
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] filter AntiSpoofFilter isTriggered returned true [/home/autobuild/IMSx-TW_9.1/Application/src/daemon/src/TmIsScan.cpp:TmIsScan::_ruleIsTriggered:4260]
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] push ruleID.ruleVer=12.2 into executed rule list
2019/04/30 13:57:43 GMT+09:00 [28639:4098483968] Final action 0: QuarantineAction
Polevt.imss.20190430.0001
2019/04/30 13:57:43 GMT+09:00 87BDADC9-87B8-3D05-A958-0267A8088406 test@test test@test.test Test 1 Spoofing message 0000010000000000 0.612305 01000000000000000 0.000000 0 0 1 15 0 0 <20190430045742.DDDFC11FB0C@ie-test057.test.test> 0 0 0 0 0 32767 0 0 0 0 0 0 1 0 0 0