Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 6419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking spoofed email sent via gmail for .com/.co.za to our domain.

Legio Victrix

Good Morning

We have recently received email stating new banking details sent from gmail spoofed as a .co.za domain sender. I have searched for solutions on how to block this type of inbound email with no luck on a quarantine it solution. The email originated via a gmail server and the reply to address states a gmail address in the header. the from header however states a .co.za domain. By all appearance it seems to have been sent via google webmail. (Which left me a tad frustrated that google do not block these emails from sending via their smtp servers). I have copied relevant mail headers below - replaced privacy parts with ### where relevant. Any ideas on how to block these kind of emails in future? Usually the UTM does a sterling job of taking care of these - however in this instance spf / dkim etc etc all failed miserably leaving many late hours and lots of coffee how to protect organizations from being caught due to human error that overlooked the gmail appart - even after printing the email - oi oi trouble. Specialists your input would be as always much appreciated.

Received: from mail-ot0-f181.google.com ([74.125.82.181])
by @@@@@@.net with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.84_2)
(envelope-from <garry#####@gmail.com>)
id 1et8nZ-0004Ce-1Z

From: " \"Sharlisa<##@###security.co.za>\" " <garry#####@gmail.com>
To: Susan <##@#####.co.za>

envelope-to: ##@#####.co.za




This thread was automatically locked due to age.
Parents
  • 0

    Hi Legio and welcome to the UTM Community!

    Please show us all of the headers.  Obfuscate your IP like 165.x.y.111.  Is your company email hosted at Google?  Please show the complete domain name for ###security.co.za.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you for the reply BAlfson. Hosting is not with Google - Instead we have a catch all mailbox with a hosting company - from where we collect the email. Please find headers as requested below:

    Received: from exchange-pop3-connector.com (192.168.0.250) by
    xxxxx.xxxxxx.local (192.168.0.251) with Microsoft SMTP Server id
    15.0.1347.2 via Frontend Transport; Tue, 6 Mar 2018 11:29:57 +0200
    Received: from mail-ot0-f181.google.com ([74.125.82.181])
    by www30.jnb2.host-h.net with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
    (Exim 4.84_2)
    (envelope-from <garrymoloi1@gmail.com>)
    id 1et8nZ-0004Ce-1Z
    for xx@xxxxxx.co.za; Tue, 06 Mar 2018 11:22:19 +0200
    Received: by mail-ot0-f181.google.com with SMTP id g97so17693983otg.13
    for <xx@xxxxxx>; Tue, 06 Mar 2018 01:22:16 -0800 (PST)
    Received: by 10.201.54.143 with HTTP; Tue, 6 Mar 2018 01:22:09 -0800 (PST)
    From: " \"Sharlisa<fox@foxsecurity.co.za>\" " <garrymoloi1@gmail.com>
    To: My Ghosty <xx@xxxxxx.co.za>
    Subject: New Banking Details
    Thread-Topic: New Banking Details
    Thread-Index: AQHTtS2x3EXjIulTv0ippLGNRAEI9g==
    Date: Tue, 6 Mar 2018 09:22:09 +0000
    Message-ID: <CACP-CXf3eTue4E=nDjeS2nKUPuPjLLb_vyn-WunQtZt-urRrSg@mail.gmail.com>
    Content-Language: en-US
    X-MS-Exchange-Organization-AuthSource: xxxxx.xxxx.local
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    envelope-to: xx@xxxxxx.co.za
    delivery-date: Tue, 06 Mar 2018 11:22:19 +0200
    x-virus-scanned: Clear (ClamAV 0.99.2/24367/Tue Mar 6 03:15:38 2018)
    delivered-to: xxxxxx@xxxxx.co.za
    dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com;
    s=20161025; h=mime-version:from:date:message-id:subject:to;
    bh=8p3ZcjLT1/jN0WncxcAEKQ5FR+/Uo60HtgNrJV2NFfc=;
    b=s4+SazAe0A+T7YxyBObu7dWdOgJswC2R1pYrpPPxDYYD0ojGK9NV0hD5HWeHiQDXoc
    u9UGrFWFEeZ9/4CO/B5Uo7pl3dlz+beJWwvk+c29006/TXxWuvlGIom+c1MRcC8X+voQ
    bXFz74jWr6xAH9WE/ori6sxIcZWSlmRzsf/AL2qz8qfksNcYwexL1ZYqAdXpeNefewxc
    EKwcQ5fDUHhEt9d82lDVQtsEBatqCYm4loOM9bSy3DSNwQLJV3/9o5E/1SXTw5+5zzzc
    VcOz3K4uaiOP+wNQSRbsuFLAscI2a7zx6n6CmjC29kg1xbfpGRmd5C9O6+LZFI5SHZoD
    VLjg==
    x-received: by 10.157.25.47 with SMTP id j47mr12210487ota.73.1520328130550;
    Tue, 06 Mar 2018 01:22:10 -0800 (PST)
    x-gm-message-state: APf1xPBCmLMmsezyR/c2Qw71CpbRWZbRilGCJ5byWxU46UfzI54IlClo
    S3bSVq+0ZQrBY8nhf8VFuvgvlEbFD65U/wENakdrZxkt
    x-google-dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=1e100.net; s=20161025;
    h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
    bh=8p3ZcjLT1/jN0WncxcAEKQ5FR+/Uo60HtgNrJV2NFfc=;
    b=pXfgMT8SjNkz5gqOrZkbW5RNv/ShamiV9sorkPx0Bvb8e/sjUcpX8atGrptMiNJcjp
    TslTo8WgkxnZcepO8niAPS0i1itQU/KYdwpAXUbC26pfXXYS0Q2zglp6TIgwnJKQIt7p
    CW75bZ9TUDF/aBbewMb1oI50ttyu+/paV4aTCWNKIdQ8dnX+xVlNSQPgkWZKKFD5Q50v
    jKA/nZHDOHVTcksN/AXGE3AHseY1idsUId/JD0OdjmNg+bhsyuNSlUCs7/Mab9vNYU0n
    XzXyZfDEaF3tr9fLPl/7ehUxNlNQ8BkRalzbxprDXnyn/susRkwF9xsfH30IW93/HiLR
    EEIQ==
    x-proxy-ident: 0/17089-1-1520328431
    x-ctch-refid: str=0001.0A0B0205.5A9E5EF0.01A0,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    x-google-smtp-source: AG47ELvyjmDqBAD5MWcsPeZLucdAPzc+7y73c+L44QKJqI3DZ1oSKtCoai1M+RdKIdofH3gdf3dhO7RCXqMyV+tqeTs=
    Content-Type: multipart/mixed;
    boundary="_006_CACPCXf3eTue4EnDjeS2nKUPuPjLLbvynWunQtZturRrSgmailgmail_"
    MIME-Version: 1.0

    Thank You for taking the time to assist!

  • 0 in reply to Legio Victrix

    It looks like the criminals have the password for the Gmail account garrymoloi1.  They have configured their mail server with those credentials to use Gmail as a smart host.  This is why the Gmail account appears in envelope-from (MAIL FROM in the SMTP transaction) and the foxsecurity.co.za appears in From.

    Please vote for and comment on In Anti-Spam, Expression-check everything after DATA or include From.

    It is easier to stop such spams if your MX record points to the UTM and the SMTP Proxy filters email coming to you.  The POP3 Proxy is just not as effective.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Legio Victrix

    It looks like the criminals have the password for the Gmail account garrymoloi1.  They have configured their mail server with those credentials to use Gmail as a smart host.  This is why the Gmail account appears in envelope-from (MAIL FROM in the SMTP transaction) and the foxsecurity.co.za appears in From.

    Please vote for and comment on In Anti-Spam, Expression-check everything after DATA or include From.

    It is easier to stop such spams if your MX record points to the UTM and the SMTP Proxy filters email coming to you.  The POP3 Proxy is just not as effective.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML