Block email faking to be from our domain but coming from outside?

David Jones djones at
Fri Jun 8 12:40:10 UTC 2018

On 06/08/2018 07:18 AM, Remco Barendse wrote:
> Thanks for your reply!  These are not bulk spam messages, I'm talking 
> carefully engineered tailor made messages from someone imposing to be 
> myself and trying to persuade someone in finance to make a payment or 
> change bank details.
> That's why I would like to explore options to flag those messages. If 
> mail arrives from outside and our domain name is in the From: address 
> something is terribly wrong :)
> I don't think SpamAssassin would help much in that case?

Do you understand that MailScanner's primary method of scoring and 
blocking email is SpamAssassin?  MailScanner is basically a wrapper for 
SA with some extra checks like icing on the cake.  The cake is SA.

I have an SA rule that does the very thing you are needed to do:

header          __MSGID_ENA_FILTERED    Message-ID =~ /\@ena\.com>/
describe        ENA_MSGID_ENA_FILTERED  Message ID ends in a domain that 
ENA filters inbound
score           ENA_MSGID_ENA_FILTERED  8.2

If you showed me the headers of an example email, I could confirm or 
help you setup an SA rule that would block these fake emails.


> On Fri, 8 Jun 2018, David Jones via MailScanner wrote:
>> On 06/08/2018 04:35 AM, Remco Barendse wrote:
>>> See more and more messages incoming with fraud attempts. The mail is 
>>> constructed to look like from someone in our organization sent it and 
>>> is addressed to people within the organization.
>>> Is there any way to block email with a sender that pretends to be 
>>> coming from but coming from outside?
>>> I use Exchange and all real email is coming only from Exchange, never 
>>> from outside.
>>> What would be the right way to do it?
>>> Also, some companies sign incoming email messages with a one liner as 
>>> the very first line of an email like :
>>> How to do that ? I found that MailScanner can sign messages but only 
>>> at the bottom of an email?
>> This might be a better question for the SpamAssassin Users list but I 
>> can help anyway.  Please post an example with minimal redacting to 
>> and send us a link.  There are about a dozen or two 
>> things that that can be tuned in SpamAssassin but I have a feeling 
>> that you can use the Message-ID header to determine spoofed inbound 
>> messages.

David Jones

More information about the MailScanner mailing list