Know the different ways of configuring HES/HES - Inbound Filtering to stop receiving emails from spoofed senders.
Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).
Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from a legitimate source when it actually was sent from a malicious one.
To stop receiving emails from spoofed senders, choose any of the following options:
- Make sure that the domain's MX record is properly redirected to HES / HES - Inbound Filtering. Refer to your HES / HES - Inbound Filtering Confirmation Email for the correct MX record for your account.
- Verify the action taken by HES/HES - Inbound Filtering on the spoofed email/s.
- Log on to the HES/HES - Inbound Filtering console.
- Go to Logs > Mail Tracking.
- Under Mail Tracking - Inbound Traffic, query the spoofed email address.
- Check if the spoofed sender is listed on the Approved Senders List on the HES / HES - Inbound Filtering console.
If the spoofed sender is listed, remove the spoofed sender from the Approved Senders List.
If not, check if the end-user is registered to the HES/HES - Inbound Filtering Web EUQ. If the owner of the spoofed address is registered to HES Web EUQ, make sure that the address is also not listed in the Web-EUQ Approved Senders list. To do this, you can:
- Ask the owner of the spoofed email address.
- On the HES / HES - Inbound Filtering console, go to Administration > End-User password and then query the email address.
- If a corporate firewall is in place, configure the firewall to allow only the HES/HES – Inbound Filtering IP ranges. Otherwise, proceed to the next step.
- Increase the aggressiveness of the Dynamic IP Reputation Settings.
To create a policy for HES, refer to the following topic: Creating a New Rule.
This feature is available in version 2.0.
- Go to Sender Filter > Blocked Senders.
- Add all your known spoofed senders or any sender you want to be blocked. A sender can be a specific email address or all senders from a domain.
You can either:
- Attach the spam sample to another email.
- Or more preferably, compress it using WinZip (or any file compression tool) before attaching it to another email, instead of forwarding the spam mail, in order to keep the email headers intact. This way, Trend Micro would be able to detect these spam emails before they reach the inbox. Follow the steps below:
- Create a folder.
- Drag all undetected spam samples to the folder you created.
- Place the undetected spam samples in a zip file and password-protect it using the word "novirus" without the quotes.
- Send the zip file to firstname.lastname@example.org.
If the issue still persists, get the latest sample spoof emails and contact Trend Micro Technical Support. Include the following information:
- Company name
- Contact person
- Email address
- IP address
- Activation Code (HES / HES - Inbound Filtering)
- New sample of spoofed emails.
The spoof mail sample should be:
- Preferably in .EML format. Use .MSG only as a last resort.
- The original mail, not forwarded mails since forwarded mails do not contain the original email content and may contain customer-related information that could lead to False Positives.