Jump to content

Archived

This topic is now archived and is closed to further replies.

davidenco

Spoofed Email Address

Recommended Posts

I am using Mail Security for Exchange 6.5 together with Exchange Server 2013.

This morning we received an email to our accounts team apparently from the MD asking them to transfer £10,000 to a UK sort code and account number in the email to setup a new client.

The sender's email address is FirstName@OurDomain.co.uk. This is not a valid email address in our Active Directory.

The Reply-To address (from the headers) is FirstName@OurDomain.co.uk-9.eu.

The originating domain and IP address is not included in our SPF record. Am I right in thinking that an email that uses our domain in the "from" field but originates from a server that is not included in our SPF record should cause the SPF check to fail? It didn't, and because SPF checking did not fail, Greylisting was not performed either (as per the default configuration).

Share this post


Link to post
Share on other sites

Hi davidenco,

The SPF check is evaluated using domain from HELO or MAIL FROM. It does not protect You against spoofing of "From" header. This means that if the sending domain (in HELO or MAIL FROM) does not have SPF record or has a valid SPF record, the mail is valid even if it is spoofing your domain in From header (it could be a valid mail forwarder).

This problem can be solved by using DMARC: https://blogs.technet.microsoft.com/eopfieldnotes/2015/02/26/using-dmarc-to-prevent-spoofing/

You could also create a transport rule like this:
Conditions:
Message headers match regular expression \nFrom: .*@OurDomain.co.uk
Sender's IP address is not one of (list of your IPs or IPs that are allowed to send mail for your domain)
Actions:
Quarantine message

Or something like this:
Conditions:
Message headers match regular expression "\nFrom: .*@OurDomain.co.uk"
Message headers do not match regular expression "\nReply-To: .*@OurDomain.co.uk"
Actions:
Quarantine message

Share this post


Link to post
Share on other sites

Thanks filips, I have opted for the first rule suggestion.

Share this post


Link to post
Share on other sites

One more thing i forgot to mention: You can (should :)) use rule action "Log to events" for some time to check if the rule works correctly before enabling action like reject/drop/quarantine

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...