SMTP: Blocking spoofed emails

[yogi_ccse]

Hi folks,
Can we block spoofed emails on Smartdefense. I didn't see major options on it. We are using NGX 6.0

Background: we've implement SPF records on our DNS server so that people who receives mails form our domainname can check for our SPF records. But our server receives spoofed email with ids emaild@ourdomain where ourdomain is our dnsdomain. Though Symantec brightmail is able to block this mails, but we would like the our sendmail does not receives any mail sent from emailid with our domainname.

any ideas?

Yogi

[Acidio]

Hi Yogi,

This might not be exactly how you want to attack this problem, however here goes.

You could implement the SMTP security service on the firewall.
Note: This may require changes to your MX records - depends on your set up.

Create some mail resources which handle dropping and delivery of your mail.

The first resource will have a sender of *@yourdomain. All the other details don't matter for this resource. You'll be using it in your e-mail drop rule.

The second resource will be the one that handles delivery. This one will have a sender of *@*.* (this ensures you don't get e-mail with a null sender), the recipient will be *@yourdomain. All other fields depend on how you want to handle delivery (eg size). Add an IP address in the server field (this is where the mail will be delivered after the firewall has inspected it)

Once you have created these SMTP resources, add rules to the policy:
First mail rule (to drop *@yourdomain)......

src = any
dest = Mail server object (public IP)
service = smtp->antispoof-resource
action = drop

Second mail rule (to deliver mail).....
src = any
dest = Mail server object (public IP)
service = smtp->maildelivery-resource
action = accept

This will give you added visibility of mail passing through the firewall also, as it adds more detail to the information column in smart view tracker

[yogi_ccse]

Thanks dude.
will check how it goes.
but ur solution is good.
thx
yogi

[yogi_ccse]

is there no issue from security side if we enable mail server on CP box?

Thanks
Yogi

[Acidio]

Depends on your point of view really. I don't see too many issues with using the security service. The only issue you may find is additional load on the FW.

One thing I forgot to mention. Change the banner text for the security service in Policy, Global Properties, Firewall, Security Server. The default shows a Checkpoint banner.

[yogi_ccse]

Hi Dude,
One small doubt:
I will create following rules:-
Source Destinaiton Service Action
Any MailServersPublicIP smtp-->antispooef-resource Drop
Any MailServersPublicIP smtp--> maildelivery-resource Accept
I created two resource objects and specified *.@mydomain in first resource and nothing in second resource.

In my view i don't need to enable any mail server on CP box? right?
the rules will handle this.
if it works its gr8 logic. i remember using ftp resource object to block get/put.
Thanks again
Yogi

[abusharif]

personaly i would never recommend use of smtp security server in production enviroment. Like mentioned above, performance is questionable and most of all reliability of mdq process which in some cases work as it wants, dies, core dumps etc.

[Acidio]

Hi Yogi,

The resource use for dropping the e-mail will have *@yourdomain in the sender and the delivery resource will have*@yourdomain in the recipient field.

As you mentioned, you could leave the delivery resource sender/recipient fields blank (or use *) if you want to.

If you have multiple domains you can specify all of these in the recipient field. Just put braces {} around them and separate each with a comma.

You shouldn't need to do anything else (unless you've edited files to disable the SMTP sec service)

[yogi_ccse]

Thanks dude.
i m tempted to test it.

will update on test results, once my changes are apporved from long change approval cycle :)

Yogi

[yogi_ccse]

guys i've implemented it and its working perfect.
thx Acidio for your help.


kudos to CPUG & Acidio.

Yogi

[yogi_ccse]

hi acidio/guyd,

i implemented the solution but facing some issues:-

1. some spoofed emails are still making their way to internal server. even i cld see many many are getting blocked on CP.... is it due to high volume of mails ?

2. Firewall is querying internal dns server for so many dns queried why ?


needs reply/help asap/.
thx
Yogi

[Acidio]

You could try debugging the in.smtpd and mdq processes. see the following kb article on how to do this.

https://secureknowledge.checkpoint.c....do?id=sk31990

When you say many are being blocked on CP, is the firewall dropping them or are there many mail files in the spool folder(s)?

Also, I haven't seen the security service deliver what is expected to be blocked.