ESET Online Help

Search English
Select the topic

Sender spoofing protection

Email sender spoofing is a common practice when an attacker forges the sender's name or email address in an attempt to deceive the recipient. To the email recipient, such spoofed email appears indistinguishable from a genuine one which poses a risk. One type of sender spoofing is called CEO fraud (attacker impersonates the CEO).

Employees would not question such email allowing the attacker to succeed. This is not exclusive to the CEO, sender spoofing often impersonates any real sender, usually a person within the Active Directory of your organization. A spoofed email message then looks very convincing to an unsuspecting recipient, easily gaining trust.

ESET Mail Security provides you with protection against this type of threat. Sender spoofing protection verifies whether the sender's information is valid using several methods.

Sender spoofing protection looks for the domain contained in the "From:" email header field and Envelope sender, then compares found domain against the domain lists. If the domain is different, the message is considered valid (not spoofed) and is further processed by other ESET Mail Security protection layers. However, if the domain matches a domain on the list, it may be spoofed and requires further verification.

Depending on the setting, further verification is performed. SPF check, Envelope IP address is checked against IP lists, or the message is automatically considered spoofed. If the SPF check result is pass, or the Envelope IP matches an IP from the list, the message is valid; if not, it is spoofed. An action is taken with the spoofed message.

You can use sender spoofing protection in two ways:

Enable Sender spoofing protection, configure its settings and optionally specify domains and IP lists. Default action with spoofed email messages is Quarantine message. To change what action is taken, go to Mail transport protection advanced settings.

Utilize Mail transport protection rules, using SPF result - From header or Envelope sender and From header comparison result condition with an action of your choice. Rules provide you with more options and combinations if you want to achieve specific behavior regarding spoofed email messages.

When Sender spoofing protection is used, or if a rule action type Log to events is specified, all messages that have been evaluated by Sender spoofing protection are recorded in the Log files. Similarly, you can find spoofed email messages in Mail Quarantine when an action is set to Quarantine message in Mail transport protection or defined in rules.

Enable sender spoofing protection

Activate the sender spoofing protection to prevent email attacks that try to mislead the recipients about the origin of the message (spoofed sender).

Enable incoming email with my own domain in the sender address

Allow messages that contain your own domain in the "From:" email header or Envelope sender (thus suspected as being spoofed) to be further verified:

Only when they pass the SPF check – relies on SPF being enabled. If the SPF result is pass, the message is considered valid and processed for delivery. If the SPF result is fail, the message is spoofed (action takes place). Optionally, you can enable Automatically reject messages if SPF check fails.

Only when IP is on the infrastructure IP list – compares the Envelope IP address against the IP lists (List of my own IP addresses and the Ignored IP list marked as Is part of internal infrastructure). If the IP is a match, the message is valid and processed for delivery. If the IP does not match, the message is spoofed (action takes place).

Never – if an incoming message contains your own domain in "From:" email header or Envelope sender, it is automatically considered spoofed without being further verified. An action is taken with the message; see Mail transport protection for action options.

Automatically load my own domains from the Accepted domain list

We highly recommend that you have this option enabled to keep the highest level of protection. This way, the domains and IP addresses from your infrastructure are considered during evaluation by sender spoofing protection.

List of my own domains

Domains considered to be your own. Add domains that will be used during the evaluation, in addition to the automatically loaded domains from your Active Directory. Sender's domain(s) will be compared against the domains in these lists. If the domain does not match, the message is valid. If the domain is a match, further verification is performed according to the Enable incoming email with my own domain in the sender address setting.

List of my own IP addresses

IP addresses that are considered credible. Add IP addresses that will be used during the evaluation, in addition to the IPs on the Ignored IP list marked as Is part of internal infrastructure. Sender's Envelope IP address is compared against the IPs in these lists. If the Envelope IP address is a match, the message is valid. If the IP does not match, the message is spoofed, and an action takes place.