Securegroup,

jloehler is absolutely correct, when I configure appliances (personally I use a 1 listener config) I set the Default Mailflow Policy to Use the Exception Table ("On") and insure that all incoming mail policies (anything with the ACCEPT action) is set to "Use Default" for this parameter. Then I double check to insure that the RELAY policy is set to "Off" because you don't want to reject outbound messages due to the Exception Table.

Once I've verified that the RELAY is off and Inbound policies are "On" I then populate my exception table with all the internal domains and specify the reject action. Now a quick take away is that the Exception Table only performs the rejection based on the SMTP MAIL FROM not the "From:" header internal to the message itself.

Now with all that said it never fails that there is some internal group that uses 3rd party marketing which spoofs the internal domains so I usually create a new incoming mail flow policy with the Exception Table turned "Off" and create a Sender Group call DOMAINSPOOFLIST which are IPs and Domain names that I allow to spoof internal e-mail addresses with the new mail policy assigned to it.

And that's it.

Sincerely,

Jay Bivens
IronPort Systems

Thanks to all. It works :D
Regards,
Andrea

there is another Solution,Tested successfully on my environment:

Add a new filter script to the ironport to drop such type of spoof attack

Use a terminal console session to access the Appliance

Filters

NEW

spoof: if (mail-from == "@Domain\\.com$")

and (rcpt-to =="@Domain\\.com$")

{

          drop();

}

.

Commit

.

Here is some more information about the Anti-Spoofing message filter. The advantage here is that the filter is able to check on the 'From:' header. The exception list only checks data in the MAIL FROM  command.

Article #115: How do I stop people from spoofing mail from my domain? Link: http://tools.cisco.com/squish/D5D5E

Regards,

Enrico