This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing phishing attack?

We've had someone impersonating an employee of our company through spear phishing attacks. It's clear to see that the email is originating from someone else, and I can easily blacklist those addresses, but they just start again with a new address. What I'd like to do is create a global rule that filters out anything from our real employee that does not have our email domain in the address. I'm having trouble putting together something that does this either in the firewall filter or the SMTP anti-spam settings. Any ideas for how to accomplish this?


This thread was automatically locked due to age.
  • The only thing I can think of would be to use the Expression Filter with https?://, thus quarantining all emails with links.  To be workable, you would need to enable the User Portal for everyone and setup the Quarantine Report if you haven't already.

    In essence, you would be forcing people to release-and-whitelist known-trusted emails with links or just release the others where they're not certain whether it's malicious.  The users can maintain their own white/blacklists in the User Portal.

    If your endusers aren't already getting Quarantine Reports or aren't familiar with the User Portal, you might get more mileage out of a regular program of fake phishing emails like the service offered by phishme and wombatsecurity.  Their emails include a link to a page that starts with something like, “Oops! The email you just responded to was a fake phishing email. Don’t worry! It was sent to you to help you learn how to avoid real attacks. Please do not share your experience with colleagues, so they can learn too.”

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just setup SPF and add the record into your DNS then anything sent claiming to be you that isn't will get rejected.
  • Paul, I thought he already had an SPF record, and that that wasn't stopping the problem.  Maybe he just needs to set it to hard fail instead of soft.  It's really not clear, steagle, what mechanism the criminal is using.

    Have you tried DKIM?  You might try using my KB article: DKIM Setup using Windows OpenSSL.  Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I did an experiment.  In WebAdmin, I blacklisted *@ourdomain.com and I added ourdomain.com in the 'Expression Filter' box.  We already have SPF and DKIM in place.

    From the command line of a client's UTM, I sent an email with a MAIL FROM of info@theirdomain.com.  After the DATA command, I did From: Someone@ourdomain.com and then To: Bob Alfson.

    The emails came through, showing From: Someone@ourdomain.com, even  though they were sent by info@theirdomain.com.

    After thinking about this, it appears that DMARC is the only tool that can prevent this.  You might want to vote for Enable DMARC.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I also just added another idea that you might want to vote for: In Anti-Spam, Expression-check everything after DATA or include From.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just setup SPF and add the record into your DNS then anything sent claiming to be you that isn't will get rejected.


    Hey Paul, SPF checking is already enabled in my UTM and I have a SPF record in my public DNS that specifies the allowed IP addresses for our email server. Could you provide an example of how you'd configure the SPF DNS record, so I can compare to mine?
  • Bob, I voted for you idea and I hope, others will do the same. Are there any news on that?

  • In your DNS records, add a TXT with name @ and value

    v=spf1 +a +mx +ip4:0.0.0.0 ~all

    Replace 0.0.0.0 with your external IP

    Do spf check in Mxtoolbox.com

  • Bob why not make a request to sophos to add something about that? Since the UTM is proprietary of the example.com, shouldn't  accept emails from another host if the sender is example.com

  • Unknown said:

    In your DNS records, add a TXT with name @ and value

    v=spf1 +a +mx +ip4:0.0.0.0 ~all

     

    I would suggest the use of -a not ~a after you tested this. Because ~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged. - (minus) for FAIL, the mail should be rejected.

    Best

    Alex

    -