Jump to content

Recommended Posts

I am using Mail Security for Exchange 6.5 together with Exchange Server 2013.

This morning we received an email to our accounts team apparently from the MD asking them to transfer £10,000 to a UK sort code and account number in the email to setup a new client.

The sender's email address is FirstName@OurDomain.co.uk. This is not a valid email address in our Active Directory.

The Reply-To address (from the headers) is FirstName@OurDomain.co.uk-9.eu.

The originating domain and IP address is not included in our SPF record. Am I right in thinking that an email that uses our domain in the "from" field but originates from a server that is not included in our SPF record should cause the SPF check to fail? It didn't, and because SPF checking did not fail, Greylisting was not performed either (as per the default configuration).

Link to post
Share on other sites
  • ESET Staff

Hi davidenco,

The SPF check is evaluated using domain from HELO or MAIL FROM. It does not protect You against spoofing of "From" header. This means that if the sending domain (in HELO or MAIL FROM) does not have SPF record or has a valid SPF record, the mail is valid even if it is spoofing your domain in From header (it could be a valid mail forwarder).

This problem can be solved by using DMARC: https://blogs.technet.microsoft.com/eopfieldnotes/2015/02/26/using-dmarc-to-prevent-spoofing/

You could also create a transport rule like this:
Conditions:
Message headers match regular expression \nFrom: .*@OurDomain.co.uk
Sender's IP address is not one of (list of your IPs or IPs that are allowed to send mail for your domain)
Actions:
Quarantine message

Or something like this:
Conditions:
Message headers match regular expression "\nFrom: .*@OurDomain.co.uk"
Message headers do not match regular expression "\nReply-To: .*@OurDomain.co.uk"
Actions:
Quarantine message

Edited by filips
Link to post
Share on other sites
  • ESET Staff

One more thing i forgot to mention: You can (should :)) use rule action "Log to events" for some time to check if the rule works correctly before enabling action like reject/drop/quarantine

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...