Avatar of Gordon Tin
Gordon Tin
 asked on

How can I stop spam emails which contains proper MX, A, TXT SPF??

Background

1. Exchange2016

2. Symantec Mail Security for Microsoft Exchange

      transportagents including sender ID installed


Recently, we received spam from MANY .co domain. After checking, it is noticed that 

domains are with properly MX, A, TXT SPF records and MX is from google. 


So this spam email look like normal email.


Any idea how I can stop this kind of spam emails?




SecurityMicrosoftExchange* Spam blockers* spam filter

Avatar of undefined
Last Comment
Gordon Tin

8/22/2022 - Mon
David Favor

The fix is to do these checks, the refuse submission/acceptance of any email that fails any test.

1) IPrev

2) SPF DNS record missing

3) SPF failure

4) DKIM DNS record missing

5) DKIM Signature missing in message

6) DKIM Signature failed in message (message has changed or has incorrect/bogus signature)

7) DMARC - If DMARC record is configured correctly, return a DMARC report to sender about problem(s) encountered.

8) In SMTP response, clearly state problem. You'll have to determine if you return a 4XX (give them time to fix the problem) or 5XX (they must fix their problem + arrange to do a resend).
ASKER CERTIFIED SOLUTION
Dr. Klahn

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
arnold

It seems what you are looking for us content based filtering
Look at the Symantec mail security option to see whether you can develop a pattern, or whether it includes statistical type of content analysis (Bayesian)
You would need to check which options you currently have enabled.
Gordon Tin

ASKER
I finally blocked all .co and exception for wanted .co domain
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23