Product » Xeams » Knowledge Base

Document information

Document ID:5171
Subject:Outbound Forgery Alerts
Creation date:10/25/17 7:33 AM
Last modified on:10/25/17 7:33 AM


Outbound Forgery

It is very common for emails to go out unnoticed from a network. Some of these emails can be considered forged by the receiving end, which could lead to getting your IP address blacklisted on public RBL servers. Consider the following examples:

  • Assume you use MS Exchange as your primary server and Xeams is sitting on the edge handing inbound as well as outbound emails.
  • John is a local user in MS Exchange and likes to use his Gmail account to view his emails. John has created a server-side rule in Exchange that forwards every incoming email to this Gmail account (john.doe@gmail.com).
  • If he gets an email from jane.doe@yahoo.com, Exchange will deliver that message to John's Gmail account without any further modification.
  • Gmail will see a message that appears to be sent from jane.doe@yahoo.com but came from your IP address, rather than Yahoo's designated IP.
  • This message will be treated as a forgery, and can potentially get your IP address blacklisted in public RBL servers.
  • You have a web application where users sign up using their foreign email address (gmail.com, yahoo.com and others)
  • This web application sends emails inviting friends of the existing user.
  • To give a person touch, these invitations go out as if the original user sent it. This means the sender of the email will contain gmail.com or something similar.
  • This message will be treated as a forgery, and can potentially get your IP address blacklisted in public RBL servers.


Companies like LinkedIn and Facebook once used this technique to send invitations that would appear to have come from a friend. Although they do not use the same technique anymore, many smaller companies are still doing it without realizing the repercussions of this method.
  • A computer within your network is infected with a virus and is now sending outbound emails.
  • It is sending emails with arbitrary values for senders domains.


Forgery Alerts

Starting v6.1 of Xeams, alerts will be sent to the administrator's email address if an outbound email is detected containing a forged sender. This will allow administrators to take preventive measures before the public IP address gets blacklisted on RBL servers.

These alerts will have an ability to snooze them for 24 or 48 hours.

What can I do if I get these alerts?

Every alert generated by Xeams will have three values:

  1. Recipient's email address
  2. Sender's email address
  3. Subject
The most useful information among these three fields is sender's domain name. These alerts are generated when the sender's domain name is not a local domain within Xeams.

The root cause of these alerts can be divided into three categories:

  • Category 1 - False alarm Sender's domain name is in fact a local domain but Xeams is not configured correctly. In this case, ignore the alert and add the domain name under Smtp Configuration. Click the Domains tab to add a value.
  • Category 2 - Forwarder A local user tried sending an email or is forwarding his/her messages to a different domain. This category corresponds to Example# 1 above. There are a few options in this case:
    • Add your public IP address in the SPF record of the sender's domain. This way it won't be considered a forgery.
    • Ask the user not to forward his/her messages
    • Use Xeams' Distribution List feature instead, which uses a local domain in the envelope MAIL FROM field, which will satisfy the SPF lookup on the receiving end. This method, however, will cost you an extra license.
  • Category 3 - Misuse In this case, try searching for the message in Xeams' Message Repository using either the sender's or recipient's email. Then, check the source of the message by looking at the Received headers. If you don't recognize the IP address, sender or recipient's email address, it is very likely someone is misusing your server.

    Contact Synametrics' support department if you are not able to figure out the source of this message on your own.




Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters