The message is clearly a spam message and is delivered to the intended recipient with a verdict "System allowed email address or domain". This can be seen in the Message Audit Logs.
- The message comes from a domain that is spoofed.
- The message comes from a domain that is in the "Allowed Senders (Domain based)" list. This list is under > Spam > Sender Groups.
If the spoofed email domain is on the "Allowed Senders (Domain based)" list (e.g. Yahoo.com) the Allowed Senders list will take precedence and the email will be delivered. Unless the action for Spam messages is set to delete spams, in which case the 'Delete' action will take precedence.
The feature works as designed.
It is possible to refine the Allowed Senders list.
More information can be found in the Symantec Mail Security Appliance Version 7.6 Administration Guide
Chapter 3 "Configuring spam filtering",
"Configuring sender groups"
"Adding senders to Allowed Senders Lists"
The Administration guide can be found here:
If you can determine the IP address of the spammer who is 'spoofing' this email address, then you can add the IP address
into the 'Blocked Senders (IP Based)' sender group. The order of precedence for antispam checks will examine the IP address
of the sender first before checking to see if the email address is whitelisted.
To add an IP address to the Blocked Senders list, please see the Symantec Mail Security for SMTP 5 (or Appliance) Administration Guide.
'Brief descriptions of the attributes in the Allowedblockedlist.txt'
Symantec does not recommend whitelisting your own domain by domain name. Using a return address which includes a spoofed address at the target domain is a common tactic which spammers use.