SPF check with empty FROM

SPF will only help against an MTA connection, not the DATA From.  In terms of spam, most spammers will generate their own valid spf records because it's literally 1 line in a shell.

I would have a look at this kb .  adding you domain to the hosts would stop someone from sending mail to yourself from your own server.. and adding your domain to the senders tab as discribed will drop mail that originates with a public ip with a DATA from of your domain.

The only thing to really consider is if you have a legitimate company spoofing mailings on your behalf that mails to your domain.  IE mail chimp or other bulk mailers.

https://community.sophos.com/kb/en-us/118845

Thanks for the quick reply.

From the SEA logs it appears the From was spoofed inside the Data part, as you suggested.

Strangely the SEA logs report that the email didn't have any sender email, is it possible?

Even from the full logs it appears so (third row?):

2017-05-03 15:07:23 antispam postfix/smtpd[92551]: 82B547426_909D60BF: client=amw60.rev.netart.pl[85.128.205.60]
2017-05-03 15:07:23 antispam postfix/cleanup[99078]: 82B547426_909D60BF: message-id=<2391400359675.20175313723@MyDomain.com>
2017-05-03 15:07:23 antispam postfix/qmgr[27237]: 82B547426_909D60BF: from=<>, size=1652, nrcpt=1 (queue active)
2017-05-03 15:07:23 antispam postfix/smtp[96636]: 82B547426_909D60BF: to=<MyUser@MyDomain.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.25, delays=0.06/0/0/0.19, dsn=2.0.0, status=sent (250 OK, sent 5909D60B_84558_3067_1 NOFORWARD)
2017-05-03 15:07:23 antispam postfix/qmgr[27237]: 82B547426_909D60BF: removed
2017-05-03 15:07:23 antispam milter[84558]: 5909D60B_84558_3067_1: Sandstorm header not found.
2017-05-03 15:07:23 antispam milter[84558]: 5909D60B_84558_3067_1: X-Sophos headers have been stripped.
2017-05-03 15:07:23 antispam milter[84558]: 5909D60B_84558_3067_1: HISTORIAN: Query results: 'ip=85.128.205.60,fs=0,da=22369541,mc=1,sc=0,hc=1,sp=0,fso=0,re=0,sd=0,hd=0'
2017-05-03 15:24:01 antispam milter[84558]: 5909D9F1_84558_3141_1: Sandstorm header not found.
2017-05-03 15:24:01 antispam postfix/backend/smtp[2055]: setting up TLS connection to INTERNAL.IP[INTERNAL.IP]:25
2017-05-03 15:24:01 antispam postfix/backend/smtp[2055]: Trusted TLS connection established to INTERNAL.IP[INTERNAL.IP]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
2017-05-03 15:24:01 antispam postfix/backend/smtpd[2833]: 635238824_909D9F1B: client=localhost.localdomain[127.0.0.1]
2017-05-03 15:24:01 antispam postfix/backend/cleanup[96642]: 635238824_909D9F1B: message-id=<2391400359675.20175313723@MyDomain.com>
2017-05-03 15:24:01 antispam postfix/backend/qmgr[15227]: 635238824_909D9F1B: from=<>, size=3324, nrcpt=1 (queue active)
2017-05-03 15:24:01 antispam postfix/backend/smtp[2055]: 635238824_909D9F1B: to=<MyUser@MyDomain.com>, relay=INTERNAL.IP[INTERNAL.IP]:25, delay=0.54, delays=0.1/0/0.03/0.41, dsn=2.6.0, status=sent (250 2.6.0 <2391400359675.20175313723@MyDomain.com> [InternalId=973215] Queued mail for delivery)
2017-05-03 15:24:01 antispam postfix/backend/qmgr[15227]: 635238824_909D9F1B: removed

If that is true, how can I create a rule that matches that kind of messages?

Even more interesting is: should the SEA by default mark as suspected or even quarantine an email without the sender?

Thanks again

So, I have used this POC in which I will use a fake HELO FQDN, an empty "MAIL FROM" email and a spoofed "From" header in the DATA section.

I am receiving tons of this kind of email from yesterday and all my colleagues think they are legittimate since Outlook shows the spoofed from

$ telnet MY.SEA.FQDN 25
Trying MY.SEA.IP ...
Connected to MY.SEA.FQDN.
Escape character is '^]'.
220 MY.SEA.FQDN
HELO myfakehelo
250 MY.SEA.FQDN
MAIL FROM:<>
250 2.1.0 Ok
RCPT TO:<massimo.forni@mydomain.legit>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: Massimo Forni <massimo.forni@mydomain.legit>
To: Massimo Forni <massimo.forni@mydomain.legit>
Date: Thu, 4 May 2017 14:52:00 +0200
Subject: Test message no real from

Hello,
This is just a test messaget without the "MAIL FROM", but whith a spoofed DATA "From".
Have fun.

.
250 2.0.0 Ok: queued as CB9F85AC5_90B240DF
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

Shouldn't this trigger some rules? At least the fake FQDN HELO.... ?

Thanks

In regards to the spoofed email address, just add mydomain.com to the blacklisted hosts and @mydomian.com to the blacklisted senders.  This will prevent any mta pretending (or that resolves to) your domain and an message with anyone@mydomain.com that connected externally.

As for a blank sender... It would impact the overall spam score but would not necessarily automatically trigger 50% spam score. 

I would go over this KB and ensure your spam settings match   specifically : filtering options, delay queue and smtp settings .. but in general everything is important

community.sophos.com/.../120802

As for creating a rule, yes it's possible...  However I would NOT recommend it unless it's absolutely necessary.

Hi, I do have external services that send legittimate email from our domain, which are included in our SPF record.

I have checked the KB and my appliance follows the recommendations.

Is it possible at least to check the validity of the HELO/EHLO parameter?

Thanks

Hi Massimo,

I think there is some confusion about SPF and a From header.. SPF checking is done on the connecting mta ip.  SPF is a security feature.. not an anti-spam feature.

The from header of a message is never even looked at until the message is accepted by postfix and delivered to the processing engine (milter) SPF checking is done by postfix.

You may wish to contact support an open a case if you are having spam issues.  In the meantime I recommend submitting samples to is-spam@labs.sophos.com

Just create a new message and drag and drop all of the spam as .eml attachments and send it off.