Most Common Support Issue: Whitelist = Spoofed Spam

No one likes to see spam in their Inbox, especially when it comes from themselves! Users often get confused and even worry that their identity has been stolen. The main cause for this is that they have whitelisted their own email address to bypass scanning for outbound traffic. Users do not realize (or understand) that spammers can spoof their email address and send spam that appears to be from themselves.

There are two parts of an email message that contain address information: the header and the envelope. In the envelope, you will see the sender’s email address (can also be forged) but the envelope is not shown when you view the email through your mail client. The mail client only shows the header information. This is where the spammer can get creative and enter any From or To email address they like, so this is where and how the recipient’s email address appears as the From address. This is a pretty sneaky way to get past spam filters when people whitelist their own email addresses.

Sample Header:

The red portion shows envelope information versus the blue text where the header info can be manipulated to show what you wish.

Example:

This is the body:

Here are a few recommendations for administrators to help reduce spoofed spam:

The best practice is to educate your users: send them an email explaining how and what can cause spam to pass.

Create an SPF record for your domain. This will only be useful if the server that relays the spam message is actually doing an SPF check. More information about how to set this up is available here: www.openspf.org

Check your server for whitelisted addresses: Remove all entries that include your own (local) domain names or email addresses

Setup DKIM, which adds a signature to the header of outgoing emails to show that they actually (and legitimately) originate from that server. More information is available here: http://www.dkim.org/