Overview
You have enabled Anti-Spoofing, but continue to see spoofed spam emails from a particular IP address, such as the Localhost (127.0.0.1), getting stuck in the mail queue with the errors like “4.4.2 Connection Lost.”
Solution
This issue can occur when the emails are being relayed from an IP address contained within your Security Configuration's IP address groups exceptions, such as the default "Local Clients" group. In some cases, this can be the result of a compromised device within your network.
To help mitigate this issue while investigating the source of the messages, you can reference the steps below:
- Make the following adjustments to prevent new spam emails from reaching the message queue:
- Navigate to Web Admin > Configuration > SMTP Server > Relay Control:
- Disable “Users from IP address Group”
- Enable "Users authenticated through SMTP for outgoing mail."
- Web Admin > Configuration > Security > Security Policy.
- Disable “Allow unsecured authentication from IP Address group”
- Disable “Allow unsecured authentication from IP Address group”
- Web Admin > Configuration > Security > Sender Policy.
- Disable “Never Reject Messages from this IP address group”
- Disable “Never Reject Messages from this IP address group”
- Navigate to Web Admin > Configuration > SMTP Server > Relay Control:
- Manually Clear the Message Queue.
- Monitor the Message Queue for new messages.
Testing
After removing the IP Address Groups, the Message Queue should no longer fill with these spoofed spam messages. It is suggested that you then reference the steps within Detecting Compromised Servers Used for Spamming to help isolate the source of the spam messages.