This article applies to:
- Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange
Question:
- What fields does SEG check for User Matching?
- Why is the "from" or "to" address shown in my email client not matched by SEG rules?
- Why is a spoofed message allowed to pass?
Information:
SEG rules use the following data when matching addresses:
- Where addressed from
Except where addressed from
Sender is/is not in recipient's safe/blocked list:
- In Content Analysis rules (also known as Standard rules in earlier versions), these conditions check BOTH the originator address header field AND the envelope sender (return-path). The conditions trigger if either address is in the list you provided.
SpamProfiler exclusions at the Receiver also check both the header and return-path, and exclude the email from evaluation if either address is in the list.
In SEG Connection rules (also known as Receiver rules), the address conditions check only the return-path, because the header information is not available in the SMTP conversation when these rules are evaluated.
- Where addressed to
Except where addressed to:
- These conditions check ONLY the envelope information (RCPT TO). A header "To" field is not required by the standards for email formatting (RFCs).
Notes:
In many cases of legitimate email, the header sender field matches the return-path. However this is not always true. For instance, mailing lists and role addresses (such as helpdesks) often use a return-path different from the visible From address.
If you are constructing a list of allowed or denied addresses, to ensure good matching use the addresses of the return-path and RCPT TO.
You can review message logs to determine the appropriate return-path and recipient addresses.
- In MailMarshal 6.9 and above, you can review the log for a message easily by viewing the message in the Console and selecting the Content Analysis Log tab.
- For earlier versions, you can see this information most easily if you have moved or copied the message and associated log to a folder.
The first line of the Content Analysis (Engine) log will appear in the following format:
Message From: <fromaddress@senderdomain.com>, Return-Path: <returnpath@senderdomain.com>, Recipients: recip@recipientdomain.com
The Return-Path recorded by SEG is the address that was used as the SMTP MAIL FROM: (in ECM, the From address assigned by Exchange).