Getting bounced messages that didn't send

rabngl · ‎09-25-2019

Hello,

One of my user got many bounce messages for email that he didn't send. That bounce messages rejected because it contains malware. I checked on Cisco ESA and I didn't find that the user have send that email.

Can anybody explain how could this happen and is there any security controls to prevent this?

Thanks.

Ken Stieers · ‎09-25-2019

It's called Bounce Verification.

Set up a profile under Network/Bounce Profiles

You set up a destinations or default under Mail Policies / Destination Controls so messages going out get marked as coming from you.

And then enable Bounce Verification under Mail Policies / Bounce Verification so that messages bouncing in that don't have your tag can be dealt with as appropriate.

Check out the help, lots of info there.

rabngl · ‎09-25-2019

Thanks for the feedback. I will check what you suggested.

I figured out this happened because the spammer spoofed user's email address (FROM field) and sent malicious emails to other domains.
Is there any way that we can prevent this? I already have SPF configured. Please advise.

Thanks.

Ken Stieers · ‎09-25-2019

You need to publish SPF, DKIM and DMARC records...

Whoever is getting the spam needs to configure their stuff to look that up and react appropriately, which you can't control...

Which leaves you still dealing with the messy aftermath via bounce verification.