Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Stop receiving spam mails coming from spoofed senders in Hosted Email Security (HES)

    • Updated:
    • 27 May 2021
    • Product/Version:
    • Hosted Email Security 2.0
    • Hosted Email Security 3.0
    • Platform:
    • Not Applicable N/A

Know the different ways of configuring HES/HES - Inbound Filtering to stop receiving emails from spoofed senders. 


Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from a legitimate source when it actually was sent from a malicious one.

To stop receiving emails from spoofed senders, choose any of the following options:

  1. Make sure that the domain's MX record is properly redirected to HES / HES - Inbound Filtering. For more information, refer to the KB article: Redirecting Mail Exchange (MX) records to Hosted Email Security (HES).

    For the correct MX record for your account, check your HES / HES - Inbound Filtering Confirmation Email .

  2. Verify the action taken by HES/HES - Inbound Filtering on the spoofed email/s.
    1. Log on to the HES/HES - Inbound Filtering console.
    2. Go to Logs > Mail Tracking.
    3. Under Mail Tracking - Inbound Traffic, query the spoofed email address.

      Query spoofed email on Mail Tracking

      Click image to enlarge

  3. Check if the spoofed sender is listed on the Approved Senders List on the HES / HES - Inbound Filtering console.

    Check spoofed sender in Approved Senders

    Click image to enlarge

    If not, check if the end-user is registered to the HES/HES - Inbound Filtering Web EUQ. If the owner of the spoofed address is registered to HES Web EUQ, make sure that the address is also not listed in the Web-EUQ Approved Senders list. To do this, you can:

    • Ask the owner of the spoofed email address.
    • On the HES / HES - Inbound Filtering console, go to Administration > End-User password and then query the email address.
  4. If a corporate firewall is in place, configure the firewall to allow only the HES/HES – Inbound Filtering IP ranges. Otherwise, proceed to the next step.
  5. Increase the aggressiveness of the Dynamic IP Reputation Settings.

    IP Reputation settings

    Click image to enlarge

  1. Login to HES Console, Go to Inbound Protection > Policy.
  2. Click Add Rule.
  3. Fill out the following:

    • Name(Name of the Rule)
    • Enable Status
  4. Go to Recipients and Senders

    1. Go to Recipients, in the drop down list, select My domain, My Groups or Type address or domain of the recipients.
    2. Go to Senders then click Select addresses to choose My domain or Type address or domain of the recipients.
  5. Under Scanning Criteria, select No criteria, then set the "And message attributes match" to None.
  6. Under Actions, you may choose which action you want for the spoofed e-mails. The recommendations are Quarantine or Delete entire message.

    In this example, set "Then action is" to Quarantine message.

Policy Settings

Click image to enlarge

  1. Go to Inbound Protection > Blocked Senders.

    Blocked Senders option

    Click image to enlarge

  2. Add all your known spoofed senders or any sender you want to be blocked. A sender can be a specific email address or all senders from a domain.

    Valid Formats:

    Invalid Formats:


  1. Go to DNS and add TXT record:

    • When using HES Outbound scanning, the following is the recommended SPF record:

      v=spf1 -all

    • When you are not using HES Outbound scanning, the following is the recommended SPF record:

      v=spf1 ip4:IP_OF_YOUR_OUTGOING_MTA

  2. Enable Sender Policy Framework in Hosted Email Security(HES).

HES/HES - Inbound Filtering users are also encouraged to send undetected spam to and undetected phishing emails to

You can either:

  • Attach the spam sample to another email.
  • Or more preferably, compress it using WinZip (or any file compression tool) before attaching it to another email, instead of forwarding the spam mail, in order to keep the email headers intact. This way, Trend Micro would be able to detect these spam emails before they reach the inbox. Follow the steps below:
    1. Create a folder.
    2. Drag all undetected spam samples to the folder you created.
    3. Place the undetected spam samples in a zip file and password-protect it using the word "novirus" without the quotes.
    4. Send the zip file to

    If the issue still persists, get the latest sample spoof emails and contact Trend Micro Technical Support. Include the following information:

    • Company name
    • Contact person
    • Email address
    • Domain(s)
    • IP address
    • Activation Code (HES / HES - Inbound Filtering)
    • New sample of spoofed emails.

    The spoof mail sample should be:

    • Preferably in .EML format. Use .MSG only as a last resort.
    • The original mail, not forwarded mails since forwarded mails do not contain the original email content and may contain customer-related information that could lead to False Positives.
  • Submit a Case Online.

    Refer to the KB article: Submitting samples of a legitimate email being tagged as spam and undetected spam

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.