[Top] [Prev] [Next] [Bottom]




Anti-spoofing


Spoof is a term used to denote construction of a message in such a way that it loses its authenticity and appears to come from someone other than the original sender.

Several techniques can be used to spoof a message, including:

Unfortunately, there are no hard and fast rules for guaranteeing the authenticity of a message and the best that can be done is to estimate the probability that a message has been spoofed. Apart from some obvious examples, it is almost impossible to determine if a message has been spoofed or if it is legitimate. For example:

MAILsweeper for SMTP can provide protection from spoofing by:

Identifying spoofed messages

MAILsweeper for SMTP can identify mail messages that may have been spoofed, by searching the message for tell-tale signs that indicate common spoofing methods, for example, source routing, suppressed reverse DNS lookup, message route concealment, and so on.

MAILsweeper searches each message and generates a spoof probability, depending on indications of possible spoofing methods that it finds. If the spoof probability equals or exceeds a specified threshold value, the message is marked as being `possibly spoofed' and a warning is appended to the message when it is delivered to the intended recipients. The wording of the warning can be modified if desired.

You can set the spoof threshold value to suit your own requirements. For example, if you are particularly concerned about mail spoofing you may wish to set the threshold to be relatively low. If you are not so concerned you may choose to set it to a higher value. See the next page for details on how to set the spoof threshold.

As it is impossible to positively identify spoofed messages, MAILsweeper does not block messages that appear to be spoofed. The message is delivered as normal, but with a suitable warning appended.

Each spoofing method MAILsweeper looks for has a different probability weighting, depending on how strongly it suggests that the message may be spoofed, for example, source routing carries a higher probability than suppressed DNS lookup or message concealment. The types and combinations of spoofing methods detected will determine the final spoof probability for the message.

If you set tight spoofing probabilities, that is, set the spoof threshold too low, or make use of source routing, you may find that you get too high an incidence of false positives, that is, messages being marked as spoofed that are in fact legitimate.

Furthermore, if you deliberately conceal MX records or suppress reverse DNS lookup for mail hosts, there is likely to be an increased incidence of false positives.

The final spoof probability generated for a message is checked against the specified spoof threshold value. If the probability equals or exceeds this threshold value an attribute called PossibleSpoof is attached to the message, with a value of TRUE.

The PossibleSpoof attribute is then checked during message disposal.1 If it has the value TRUE then a warning is appended to the message body, suggesting that the message may be spoofed and that its authenticity should be verified.

This warning message is appended using the automated editing facility.

For example:

In MIMESWP.CFG:

[Clean]
Edit=AppendIfSpoof
Edit=AppendOutwardDisclaimer
Deliver=

[AppendIfSpoof]
PerformIf=PossibleSpoof==TRUE
AppendToBody=C:\MSW\Config\POSSPOOF.TXT

You can modify the wording of the warning message, if desired, by changing the contents of the file C:\MSW\Config\POSSPOOF.TXT.

The default contents are as follows:

In POSSPOOF.TXT

Information in the headers for this message suggest that it may be spoofed and that its authenticity should be verified.

See page 7-34 for more details on how the automated editing facility is configured.

The spoof threshold is specified in the [SMTP] configuration section. This section is found in the post office configuration file, SMTP.CFG.

For example:

[SMTP]2
ContainerClass=Container
...
SpoofThreshold=10
;Timezone=+0000

By default this value is 10, but can be changed if desired. If you are particularly concerned about spoofing, set the threshold value lower. If you are less concerned, set it higher.

The maximum spoof probability that can be generated is 25, so there is no advantage in setting the threshold higher than this as it will effectively disable the facility.

To disable the anti-spoof facility ensure that the Edit disposal action is commented out in the [Clean] configuration section. This section is found in the mail configuration file, MIMESWP.CFG .

That is, change:

[Clean]
Edit=AppendIfSpoof
Edit=AppendOutwardDisclaimer
Deliver=

to

[Clean]
;Edit=AppendIfSpoof
Edit=AppendOutwardDisclaimer
Deliver=
Assuming this facility is enabled, messages released from quarantine will still be checked for possible spoofing. The only exception is if a different <Response> is specified, using the ReleaseDisposal directive, and this does not follow the Clean disposal route. See page 7-28 for details.
 


[Top] [Prev] [Next] [Bottom]



1 Assuming the message uses the Clean disposal route.

2 See page 7-51 for more details on the [SMTP] section.

msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.