Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding Spoofed internal messages:

    • Updated:
    • 3 Feb 2020
    • Product/Version:
    • IMSVA 9.1
    • Platform:
Summary
Understanding Spoofed internal messages and how to recognise the behaviour in the logs.
Details
Public

Criteria required to work:

The IMSVA only checks two criteria to see if a mail triggers the 'Spoofed internal messages' policy. Firstly that the SMTP sender (RFC5322) and receiver domains are identical (not enough that they are both listed as Internal addresses) and secondly that all MTA IP addresses that mail routes through are not listed in the 'Trusted Internal IP List'.

 

About:

"Spoofed internal messages" filter validates that email sent from the internal email address and to the internal email addresses was only processed by the internal mail servers. IMSVA blocks all messages if they do not originate from the trusted internal IP address list. This filter triggers only on messages where the sender’s and recipient’s domains are the same.

 

To enable:

  1. Create new 'Other' policy.
  2. Under 'Others' on the 'Select Scanning Conditions' selection screen, select the check box next to Spoofed internal messages.
  3. Click Spoofed internal messages. The Spoofed Internal Messages screen appears.
  4. Add IP addresses to the Trusted Internal IP List. 
    • "All edge MTA IP addresses must be added to this list if the feature is enabled. If the IP addresses are not added to the list, all messages from the edge MTAs that are not added will be blocked."
  5. Click Save.

 

The following logs from log.imss.yyyymmdd.xxxx demonstrate very well the triggering if the internal spoofing rule. A point worth noting is that customers may query why the line 'Get 1 IP address from received header' does not match the number of IP addresses they see when they look at the message headers. This is because the anti-spoofing policy does not check the following private IP addresses (10.x.x.x  and 172.16.0.0..172.31.255.255 and 192.168.X.X and local IP address 127.0.0.1) detected in the 'Received' headers and does not process them as part of the AntiSpoofFilter.

 

Log.imss.20190430.0001

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] Running ruleId:12; version:2, numFilters:1, numActions:1

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] [DEBUG]AntiSpoofFilter::parseSendIPFromOneRecvHeader: parse received header string:by ie-test057.test.test (Postfix, from userid 0)id DDDFC11FB0C; Tue, 27 Apr 2019 13:57:42 +0900 (JST)

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] [DEBUG]AntiSpoofFilter::parseSendIPFromOneRecvHeader: parse received header string:from mail.example.com (unknown [1111:2222:3333:444::5555])        by test-test200.ie.test (Postfix) with ESMTPS id A581B13803D        for <test@test.test>; Mon,  6 Jun 2016 13:43:08 +0900 (JST)

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] [DEBUG]AntiSpoofFilter::parseSendIPFromOneRecvHeader:get matched string:1111:2222:3333:444::5555

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] [DEBUG]AntiSpoofFilter: Get 1 IP address from received header. 1111:2222:3333:444::5555,

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] [DIAGNOSTIC]AntiSpoofFilter: Not all sender IP in Trusted Internal IP List. Triggered.

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] [DEBUG]in convertUnicodeToString, source.length = 46

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] filter AntiSpoofFilter isTriggered returned true [/home/autobuild/IMSx-TW_9.1/Application/src/daemon/src/TmIsScan.cpp:TmIsScan::_ruleIsTriggered:4260]

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] push ruleID.ruleVer=12.2 into executed rule list

2019/04/30 13:57:43 GMT+09:00        [28639:4098483968] Final action 0: QuarantineAction

 

 

Polevt.imss.20190430.0001

2019/04/30 13:57:43 GMT+09:00        87BDADC9-87B8-3D05-A958-0267A8088406        test@test        test@test.test        Test        1        Spoofing message        0000010000000000                0.612305        01000000000000000        0.000000        0        0                                        1        15        0        0        <20190430045742.DDDFC11FB0C@ie-test057.test.test>        0        0                                0        0                        0                                32767        0        0                        0                0                0                0                1        0        0        0

Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot
Solution Id:
000239719
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.