Certain Spam emails fake the 'FROM:' email address, and change this to the same domain as the recipient. This may seem as if it the email is coming from a local user.
This issue is normally due to SPF not being configured correctly, or having addresses of your own domain in your whitelist.
GFI MailEssentials can be configured to block such emails as follows:
Note: Ensure that the 'Sender Policy Framework' module is configured to run at a higher priority than the 'Email\Domain\Auto Whitelist' module, since if the sending server is not authorized to send on behalf of that domain the email is likely to be spoofed. To modify your order module priorities perform the following:
- Open your GFI MailEssentials Configuration.
- Expand the Anti-Spam node
- Navigate to the Filter Priority node
- Ensure that the Sender Policy Framework module has a higher priority than the Email\Domain\Auto Whitelist module.
Ensure that the email address from which you are receiving the spoofed emails from is not listed within the GFI MailEssentials Whitelist as MIME From:. You can confirm this by performing the following:
- Open the GFI MailEssentials Configuration
- Expand the Anti-Spam dropdown
- Select the Anti-Spam Filters dropdown
- Click on the Whitelist node
- You can check if the email address is listed from the Whitelist tab. If the email address is defined as MIME From, then click the Remove button to remove the entry.
- Adding your local domain to the blacklist is intended when internal emails are not passing through GFI MailEssentials. In a normal email setup, internal emails will not be passing through GFI MailEssentials.
- You should not add your local domain to the blacklist if GFI MailEssentials is installed on the same machine as Microsoft Exchange server and local users are using an SMTP client (e.g. Outlook Express) to send their emails to internal recipients.