Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 5 subscribers
  • Views 48348 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing phishing attack?

steagle
We've had someone impersonating an employee of our company through spear phishing attacks. It's clear to see that the email is originating from someone else, and I can easily blacklist those addresses, but they just start again with a new address. What I'd like to do is create a global rule that filters out anything from our real employee that does not have our email domain in the address. I'm having trouble putting together something that does this either in the firewall filter or the SMTP anti-spam settings. Any ideas for how to accomplish this?


This thread was automatically locked due to age.
Parents
  • 0
    I did an experiment.  In WebAdmin, I blacklisted *@ourdomain.com and I added ourdomain.com in the 'Expression Filter' box.  We already have SPF and DKIM in place.

    From the command line of a client's UTM, I sent an email with a MAIL FROM of info@theirdomain.com.  After the DATA command, I did From: Someone@ourdomain.com and then To: Bob Alfson.

    The emails came through, showing From: Someone@ourdomain.com, even  though they were sent by info@theirdomain.com.

    After thinking about this, it appears that DMARC is the only tool that can prevent this.  You might want to vote for Enable DMARC.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    I did an experiment.  In WebAdmin, I blacklisted *@ourdomain.com and I added ourdomain.com in the 'Expression Filter' box.  We already have SPF and DKIM in place.

    From the command line of a client's UTM, I sent an email with a MAIL FROM of info@theirdomain.com.  After the DATA command, I did From: Someone@ourdomain.com and then To: Bob Alfson.

    The emails came through, showing From: Someone@ourdomain.com, even  though they were sent by info@theirdomain.com.

    After thinking about this, it appears that DMARC is the only tool that can prevent this.  You might want to vote for Enable DMARC.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML