davidenco 1 Posted March 5, 2018 Share Posted March 5, 2018 I am using Mail Security for Exchange 6.5 together with Exchange Server 2013. This morning we received an email to our accounts team apparently from the MD asking them to transfer £10,000 to a UK sort code and account number in the email to setup a new client. The sender's email address is FirstName@OurDomain.co.uk. This is not a valid email address in our Active Directory. The Reply-To address (from the headers) is FirstName@OurDomain.co.uk-9.eu. The originating domain and IP address is not included in our SPF record. Am I right in thinking that an email that uses our domain in the "from" field but originates from a server that is not included in our SPF record should cause the SPF check to fail? It didn't, and because SPF checking did not fail, Greylisting was not performed either (as per the default configuration). Link to comment Share on other sites More sharing options...
ESET Staff filips 44 Posted March 7, 2018 ESET Staff Share Posted March 7, 2018 (edited) Hi davidenco, The SPF check is evaluated using domain from HELO or MAIL FROM. It does not protect You against spoofing of "From" header. This means that if the sending domain (in HELO or MAIL FROM) does not have SPF record or has a valid SPF record, the mail is valid even if it is spoofing your domain in From header (it could be a valid mail forwarder). This problem can be solved by using DMARC: https://blogs.technet.microsoft.com/eopfieldnotes/2015/02/26/using-dmarc-to-prevent-spoofing/ You could also create a transport rule like this: Conditions: Message headers match regular expression \nFrom: .*@OurDomain.co.uk Sender's IP address is not one of (list of your IPs or IPs that are allowed to send mail for your domain) Actions: Quarantine message Or something like this: Conditions: Message headers match regular expression "\nFrom: .*@OurDomain.co.uk" Message headers do not match regular expression "\nReply-To: .*@OurDomain.co.uk" Actions: Quarantine message Edited March 7, 2018 by filips Link to comment Share on other sites More sharing options...
davidenco 1 Posted March 7, 2018 Author Share Posted March 7, 2018 Thanks filips, I have opted for the first rule suggestion. Link to comment Share on other sites More sharing options...
ESET Staff filips 44 Posted March 7, 2018 ESET Staff Share Posted March 7, 2018 One more thing i forgot to mention: You can (should ) use rule action "Log to events" for some time to check if the rule works correctly before enabling action like reject/drop/quarantine Link to comment Share on other sites More sharing options...
Recommended Posts