Example: Quarantine Messages from Fake Senders

Some spammers falsify email addresses so that the message appears to originate from a sender within the recipient’s own domain. For example, the recipient works for company "XYZ", and his own corporate email address is john@xyz.com. A spammer might then pose as frank@xyz.com in an attempt to evade detection.

Guard against this tactic by adding a rule to the "Mail from external hosts" section of the policy that filters incoming mail from senders pretending to be a member of the same domain. The rule tests external messages for the presence of the domain in the Envelope from and Sender parts. Any messages containing the specified domain are quarantined.

Note This test is based on the premise that legitimate members of the domain require some form of authentication to access their email accounts externally. Therefore, it is assumed that addresses with the company’s domain that originate from outside of the network are fake.

To Quarantine Messages from Fake Senders using the PureMessage Manager:

  1. Click Create beside Backups on the Policy tab sidebar. A backup of the current policy is created; a backup entry with the current date and time are displayed in the Backups section of the sidebar.
  2. Click the Policy Rules on the Policy tab sidebar to display the current policy.
  3. Click the Mail from external hosts rule.
  4. Click add rule (beside Execute actions and rules). A new rule is created.
    1. Configure the Test:
      1. Change the (New Rule) text to Check for fake senders.
      2. From the Tests drop-down list, select Sender’s address.
      3. From the second drop-down list, select Matches.
      4. In the adjacent text box, enter **@xyz.com.
      5. Click add test.
      6. From the drop-down list, select Envelope from.
      7. From the second drop-down list, select Matches.
      8. In the adjacent text box, enter **@xyz.com.
      9. From the criteria drop-down list, select If ANY criteria are met.
    2. Configure the Action:
      1. Click add action. This creates the action configuration template.
      2. In the Execute actions and rules drop-down list, select Quarantine the message.
      3. In the text box on the right (Quarantine Reason), enter Fake Sender.
      4. Click add action.
      5. In the second rules drop-down list, select Stop processing.
      6. Click Save.
    3. Change the Rule Order:
      1. Click Cut. A message is displayed at the top of the page indicating that the Check for fake senders rule has been cut.
      2. Click to select the rule Clean mail containing viruses.
      3. Click Paste. The Check for fake senders rule is now displayed in its new position beneath the Check mail containing viruses rule.

    4. Click the Commit link to update the live policy script. PureMessage displays a message advising that the milter is running with a stale configuration. Do not restart the milter.
  5. Test New Policy: Because the milter has not been restarted, it is still using the original policy. Therefore, the new policy can be tested without making it "live".
    1. Click Test Current Policy on the Policy tab sidebar. The Test Current Policy page is displayed.
    2. From the Select Relay Type drop-down list, select External.
    3. In the Envelope From text box, enter: frank@xyz.com.
    4. Do not edit the default text displayed in the message source text box.
    5. Click Test. The test runs and the results are displayed. Note that the Delivery Action for the test message is "quarantine: Fake_Sender". Scroll down in the Details list box to view the test results.
  6. If satisfied with the new policy, click Restart now to restart the milter and make the new policy live. To restore the original policy, click the backup link, and select OK.

Policy Script

To Quarantine Messages from Fake Senders by manually editing the policy script:

# attr NAME=Mail from external hosts
else {
    pmx_add_header "X-PMX-Version" "%%PMX_VERSION%%";
    pmx_mark "Size" "%%MESSAGE_SIZE%%";
    # attr NAME=Clean mail containing viruses
    if pmx_virus {
        pmx_file "Virus";
        pmx_virus_clean "cantclean.tmpl";
        pmx_replace_header "Subject" "[PMX:VIRUS] %%SUBJECT%%";
        pmx_replace_header "X-PerlMx-Virus-Detected" "%%VIRUS_IDS%%";
    # attr NAME=Check for fake senders
    if anyof(address :all :matches :comparator "i;ascii-casemap" ["from"]
    envelope :comparator "i;ascii-casemap" :all :matches ["from"]
        pmx_quarantine "Fake Sender";

See the Policy Script Tutorial for more information about modifying the policy script from the command line.