If spoof email addresses take the form of a pattern, such as Employee.Name.dwu.edu@gmail.com, then a wildcard can be used to prevent similar future attacks.


Administration > Gateway > Policies > Blocked Senders




After blocking an offending address, go to Administration > Message Center > Held Messages and then search for the offending messages, select them, and Reject > Block for Recipient. This ensures the user will not manually release the message.


To prevent future attacks, attached is an excel spreadsheet of current employee usernames that could be used to quickly create additional filter rules by modifying the spreadsheet to match spoofing addresses and uploading it here:


Administration > Directories > Profiles > Profile Groups > Blocked Senders > Build > Group List imports (However, Profile groups do not support wildcards. Only Gateway Policies support wildcards.)


Alternatively, this spreadsheet could be modified to create broader gateway policies if we continue to encounter employee usernames with some string appended, like this:


Employee.Username[spamstring]@domain.com


Wildcards should be used thoughtfully because they have the ability to result in overly broad blocking. In Mimecast, wildcards are only supported at the beginning of a username or domain name (not the end), so for example Mimecast does not recognize Employee.Username*@domain.com as a valid address, hence the necessity of this spreadsheet.


Group Override should be set to Add to Existing Entries, otherwise the current entries of the profile group will be deleted and replaced with the contents of the uploaded spreadsheet. (If you want to be safe, you can export the existing profile group prior to importing new entries.)



There is a delay of nearly a minute when uploading this spreadsheet and clicking "Preview Changes"


There is another delay of nearly a minute after clicking "Accept Import" before the addresses appear in the specified profile group.


If the attached spreadsheet needs to be re-created in the future after employee turnover has occurred, this XML file of current employees can be downloaded and opened in Excel:


http://www2.dwu.edu/interface/xmldirectory.ashx


Then delete unnecessary columns and do a Find/Change All... on the employees' email addresses. Save as an .xls file (not .xlsx) and insert "email" (case sensitive, without quotes) in the topmost column entry. The other column entries need to be of the form username@domain.com