I would like to know how to configure anti-spoof in McAfee Security for Exchange 8.5.
Users are receiving mail that seem to be sent by co-workers (because the mail-address ends with an accepted domain).
In fact it is a spoofed mail-address with an attachment, which has an infected file in it.
I would like to configure McAfee Security for Exchange in such way that only mail ending on an accepted domain is received from the ip-addresses I configure.
So I think i should configure the internal ip-address of the mailserver and serveral internal MFP's which send scanned documents by mail to the users.
I have been searching the web, but was not able to find an answer so far.
Any help would be appreciated.
msme doesn't have a way to tell if an email has been spoofed. that is something you could try configuring within exchange. however, from the msme side you could try the following:
--just make sure to thoroughly test this before putting it into production.--
This does require the anti-spam component to be installed.
under the Gateway policy create a sub-policy and in the sub-policy add these rules - 'the smtp address of the sender is', 'the smtp address of the recipient is', and specify you're email domain for both. also select 'All rules apply' and save.
then click on the sub-policy \ anti-spam. select to not use configuration from the parent. then enable the antispam and click on edit under the Options section. uncheck the 'use default' box for the low score and set it to 1 and save.
on the anti-spam page click edit under the actions section and set the low score to delete message and quarantine. then click apply.
what this will do is look at all incoming emails and see if the sender and recipient are from your domain and if so it will scan the email for spam and if it gets a score 1 or greater it will remove the message. you can adjust the score down further to .01 if needed.
also this policy will only trigger as long as the email is seen as coming from an anonymous source otherwise the policy won't get called. that means it won't trigger on emails actually sent from internal users. however, if you have a 3rd party server that is sending emails internally, it could trigger this rule since it would be sending emails over port 25 to the hub/edge server which would be seen as inbound emails.
the other options i would do is to turn on ip and message reputation and set the message reputation score to 50, and leave the ip score at default.