proofpoint.my.site.com
Open in
urlscan Pro
2a02:26f0:ab00::214:8f31
Public Scan
URL:
https://proofpoint.my.site.com/community/s/article/How-to-enable-the-Antispoof-policy
Submission: On July 29 via api from DE — Scanned from DE
Submission: On July 29 via api from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Loading
×Sorry to interrupt
CSS Error
Refresh
*
* Proofpoint.com Indicates approval
* IP Blocked? Indicates approval
[GUEST]
Search...
Loading...
Log in for full access
Log in >
[EMAIL PROTECTION (PPS/POD)] ENABLE THE ANTI-SPOOF RULE: PREVENT SPOOFING AND
PHISHING EMAILS
ANTI-SPOOF POLICY FOR DEALING WITH FAKE (SPOOFED) INTERNAL INBOUND MESSAGES.
JUN 27, 2023•KNOWLEDGE
INFORMATION
Description
SituationYour email servers deliver fake messages that appear to be from
employees within your own company (known as spoofing or spoofed messages). These
emails put your organization at risk and usually request money or compromising
information.Product / VersionProofpoint Protection Server (PPS) version 8.x and
newerSolution
Create a policy that:
1. Processes internal email messages from valid sources (exempt sources).
2. Filters and dispositions all other internal email (claiming to be from your
domain).
Anti-spoof Strategy Component
This anti-spoof policy is one part of a complete anti-spoof strategy. You should
also look into fully implementing additional anti-spoof tactics such as SPF,
DKIM, and DMARC.
SPOOFING BACKGROUND
All spoofed messages share a common vulnerability: the email claims to be from a
sender within one of your own domains, but it arrives to your Proofpoint server
from an outside connection.
Many spoofed messages are legitimate. For example, you use a sales software that
sends email as though it came from your employees.
Malicious Spoofers often harvest company personnel information from the public
domain and social engineering channels to create an email that sounds
convincing. Some common spoofing examples include:
* Message claiming to be from the CEO or other top executive requesting
immediate action to wire money to a third party.
* Messages usually include requests to not call the CEO or talk to anyone about
the request.
* First message is often innocuous, just requesting a reply; specific money
transfer instructions follow in subsequent messages.
ANTI-SPOOF POLICY OVERVIEW
Because you cannot anticipate and block every source/host of spoofed email, the
best strategy is to identify all legitimate sources of internal email and only
allow internal email from those authorized sources.
The policy will:
1. Process internal email messages from valid sources (exempt sources).
2. Filter and disposition all other internal email (claiming to be from your
domain).
Disposition Options
You have many options when dispositioning potential spoofed messages. Some
examples include quarantining messages, forwarding them to a specific user, or
delivering them with a label in the subject (such as [External]).
To implement the policy you will:
1. Activate and configure the existing Anti-spoof Email Firewall rules
2. Test the Anti-spoof Rule
3. Add Policy Exemptions (Authorized Sources)
4. Maintain and Tweak the Policy
1. ACTIVATE AND CONFIGURE THE EXISTING ANTI-SPOOF EMAIL FIREWALL RULES
Reminder: Rules Catch All Non-Exempt Internal Email
These rules can have extremely broad scopes. The strategy is to use the
exemption policy routes to allow legitimate internal sources to bypass the
anti-spoof rule, then the anti-spoof rule will catch all remaining messages.
1. Navigate to Email Protection > Email Firewall > Rules > pp_antispoof
2. Enable the rule (select On)
3. Click Delete All Conditions to add your specific domain
4. Click Add Condition. You will add two conditions per domain:
1. Configure the first condition and then click Add and New Condition:
1. Condition: Envelope Sender
2. Operator: Is in Domain Set
3. Value: default_inbound
2. Configure the second condition and then click Add Condition:
1. Add condition as: Or
2. Condition: Message Headers
3. Header: From (Address Only)
4. Operator: Is In Domain Set
5. Value: default_inbound
5. Set the disposition to Quarantine the message (default folder of Spoofed is
sufficient) and Continue delivery:
Check out our training video on how to manually create an anti-spoof rule.
2. TEST THE ANTI-SPOOF RULE
If you enabled one or more of the Email Firewall rules described above,
the Proofpoint Protection Server will begin to quarantine and/or tag email
messages. You can test your anti-spoof policy by observing which messages the
system catches. Here are some things to consider:
* Disk Space: Make sure you have adequate disk space to quarantine the
messages.
* You can verify your available disk space by checking System > Servers and
viewing System Disk.
* Free up disk space by deleting messages from your folders.
* Module Priority: Email Rules have the lowest module priority. You may find
some of these spoofed messages in other quarantine folders if any other
higher-priority modules (such as Spam) fire on the messages.
* Legitimate Email: You may find legitimate email in the quarantine folders.
You will want to tweak your exemption policy routes and/or your anti-spoof
Email Rules to make sure only spoofed emails are quarantined.
* Audit Mode - Delivered Emails: The antispoof Email Rule still delivers all
email, so don't panic if you see legitimate emails. You can change the policy
to discard emails once you are confident that the policy only catches spoofed
emails.
If you still need all messages Quarantined after setting the rule to discard,
it is recommended to add a condition of And Defer processing until end of
message to the rule. This will prevent messages from being discarded without
being quarantined.
Review the folder periodically and identify legitimate spoofers. Make use of the
View > Headers view to confirm where the mails were sent from and identify any
commonalties, for example IP ranges/subnets or similar server hostnames.
You can also contact third parties and ask them to so they can provide a list of
known sending servers and remove some of the guess work from your exclusion
list. Consider these internal sources when you make exemption policy conditions:
SourceDescriptionInternal Mail ServersLegitimate outbound mail from your own
servers.Wireless ISPs This includes messages sent from wireless devices and
originating on external SMTP networks.Other Locations This includes satellite
offices that share your domain but are linked to your location by an external
internet connection.Third-Party This includes organizations you may have
contracted that send mail using your own domain. For example, bulk email
solutions, CRMs that send email using your domain, etc.External This includes
servers that send messages from public IP addresses or sites external to your
own network.Forwarded Messages This includes messages forwarded from external
services that accept messages and forward them to users at your domain without
modifying the sender address
The above list is not comprehensive. You must consider all email sources and
which conditions you can use to identify them. If you miss a legitimate source,
the anti-spoof policy will disposition that email as a spoofed message.
3. CREATE POLICY EXEMPTIONS
Update the pp_spoofsafe Policy Route whenever you need to make an anti-spoof
exception/allowance. Sender IP address equals or sender IP address in network
or sender hostname ends with conditions are best. You can also make email
address based exemptions, such as sender email address equals
mybenefitsupdate@mycompany.com.
Example:
1. Navigate to System > System > Policy Routes > pp_spoofsafe
2. Click Add Condition
3. Add an identifying condition for the legitimate sender (authorized source),
which may be:
* Sending IP Address
* HELO domain
* hostname
* envelope sender address
Example Condition (Sending IP Address):
Messages from this sender will no longer trigger the pp_antispoof Email Firewall
Rule.
Are you an Office 365 user? Check out our article Creating an Office 365
Anti-spoof Rule.
4. ENFORCE, MAINTAIN, AND TWEAK THE POLICY
INTERNALNET POLICY ROUTE / SENDER IP ADDRESS OF 127.0.0.1
We DO NOT recommend adding internalnet to Disable processing for selected policy
routes... under the policy route section of an anti-spoof rule. We also DO NOT
recommend adding the condition of Sender IP Address of 127.0.0.1 to any policy
route that disables the anti-spoof rule.
Doing so will prevent the anti-spoof rule from triggering when a message has
been split or looped through the system. This is because the policy route /
condition will trigger as the message goes to be re-processed and will disable
the rule before the system has had a chance to look at the headers of the
message for the original connecting IP address/hostname.
ENFORCE THE POLICY
Once you are confident that the entire policy is only catching spoofed emails,
you can change the pp_antispoof Email Rule (Email Protection tab > Email
Firewall > Rules > pp_antispoof) Disposition to Discard email (see the first
section in this article for more information on editing the rule). This will
block the emails from reaching your end users.
DISCARD VS. REJECT
We recommend discarding the messages instead of rejecting them. Rejecting that
type of spoofed message will cause your sender to receive a bounced copy of the
spam.
You will need to continue to monitor which emails your policy catches and
maintain the policy over time.
EDIT POLICY ROUTES
Even after you've moved into enforcing mode, you're likely to occasionally
encounter some legitimate message being blocked. This could be perhaps due to IP
addresses changes. You may need to edit the outbound or pp_spoofsafe Policy
Routes to include new or changed exceptions. See the section 3. Create Policy
Exemptions in this article for instructions on updating the policy route.
DO NOT ADD CONDITIONS TO THE RULE
Please do not tack on exceptions to the rule itself (for example AND sender IP
address does not equal...). Instead, use the policy routes to keep track of your
internal servers, partner servers, and other exceptions. Remember, the
anti-spoof policy works by blocking all mail which is not outbound but which
claims to be from one of your senders.
IMPACT OF SPAM RULES
Spam rules can cause delivery of spoofed messages to the End User's Digest,
potentially being released by an unknowing end user. This can occur when both
the Email Firewall anti-spoof rule and a Spam rule trigger on a particular
message, the mail will always be quarantined by the Spam module as it has a
higher priority.
Have more questions on trigger priority? Check out our article Quarantine
Precedence Guidelines.
If your anti-spoof rules are set to Quarantine and then Discard, then a custom
spam rule (created at Email Protection > Spam Detection > Custom Rules) can be
created to over-ride the spam score of any message that triggers the anti-spoof
rule by leveraging the Triggered Rule condition. A rule configured like this
would have similar conditions to either:
* Triggered Rule equals Anti-Spoof1 OR
* Triggered Rule equals Anti-Spoof2.
Under Disposition, from the Action dropdown select Classify as Not Spam. This
will effectively Safelist any message that triggers an anti-spoof rule.
This should only be applied to rules that have a disposition of Discard.
Article Number
000014648
Title
[Email Protection (PPS/PoD)] Enable the Anti-spoof Rule: Prevent Spoofing and
Phishing Emails
URL Name
How-to-enable-the-Antispoof-policy
Articles We RecommendEmail Protection (PPS/PoD)Authentication Articles
COMMENT ON THIS ARTICLE
Note: Log into the Community to access Comments on articles
Guest Site Map
© 2023. All rights reserved.Terms and conditionsPrivacy Policy
Loading