SPF check not working on phishing mails

Question

Hey Guys

We're having some trouble with phishing mails. The mails are looking like they are coming from one of our domains. This is the header (I censored some values):

Received: from MX01.ourdomain.ch (192.168.110.19) by MX01.ourdomain.ch
(192.168.110.19) with Microsoft SMTP Server (TLS) id 15.0.1293.2 via Mailbox
Transport; Thu, 27 Jul 2017 07:09:52 +0200
Received: from MX01.ourdomain.ch (192.168.110.19) by MX01.ourdomain.ch
(192.168.110.19) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Thu, 27 Jul
2017 07:09:52 +0200
Received: from utm.ourdomain.net (8.8.8.8) by MX01.ourdomain.ch
(192.168.110.19) with Microsoft SMTP Server (TLS) id 15.0.1293.2 via Frontend
Transport; Thu, 27 Jul 2017 07:09:52 +0200
Received: from p3plsmtp06-06-2.prod.phx3.secureserver.net ([97.74.135.61]:32798 helo=p3plwbeout06-06.prod.phx3.secureserver.net)
by utm.ourdomain.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.82_1-5b7a7c0-XX)
(envelope-from <coyltm@outsourcedparalegalservices.com>)
id 1dab3W-0004Vb-0A
for hansueli.wuerth@ourdomain.ch; Thu, 27 Jul 2017 07:09:50 +0200
Received: from localhost ([97.74.135.16])
by :WBEOUT: with SMTP
id aavrdkJp5RW0maavrdbZZo; Wed, 26 Jul 2017 22:01:55 -0700
Received: (qmail 9835 invoked by uid 99); 27 Jul 2017 05:01:55 -0000
From: Hans Peter <hans.peter@ourdomain.ch>
To: <hansueli.steck@ourdomain.ch>
Subject: =?utf-8?B?U0VQQS9BdXNsYW5kc8O8YmVyd2Vpc3VuZw==?=
Thread-Topic: =?utf-8?B?U0VQQS9BdXNsYW5kc8O8YmVyd2Vpc3VuZw==?=
Thread-Index: AQHTBpaUIJao8jCRdkCqU8pTtJMqZA==
Date: Thu, 27 Jul 2017 05:01:53 +0000
Message-ID: <20170726220153.291ba9ef5338a76a8a2301db4d3f8952.c0649b8c8a.wbe@email06.godaddy.com>
Reply-To: Hans Peter <mykcome@gmail.com>
Content-Language: de-CH
X-MS-Exchange-Organization-AuthSource: MX01.ourdomain.ch
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: 50.63.197.83
user-agent: Workspace Webmail 6.8.5
x-sender: coyltm@outsourcedparalegalservices.com
Content-Type: multipart/alternative;
boundary="_000_20170726220153291ba9ef5338a76a8a2301db4d3f8952c0649b8c8_"
MIME-Version: 1.0

Now, our UTM shows coyltm@outsourcedparalegalservices.com as the sender, outlook shows hans.peter@ourdomain.ch. The sender asks for some payments and if the user answers, the mail goes to mykcome@gmail.com, as you can see in the header.

It's clear why the spf check doesn't work in this case, but any idea how we can filter this kind of mails?

This thread was automatically locked due to age.

DouglasFoster · Accepted Answer

SPF does nothing with the "FROM:" information displayed by Outlook, which another post calls the P2 FROM, and is on this line:

From: Hans Peter <hans.peter@ourdomain.ch>

The SPF check occurs on the hello, which means that it only has this information available:

Received: from p3plsmtp06-06-2.prod.phx3.secureserver.net ([97.74.135.61]:32798 helo=p3plwbeout06-06.prod.phx3.secureserver.net)
by utm.ourdomain.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.82_1-5b7a7c0-XX)
(envelope-from <coyltm@outsourcedparalegalservices.com>)
id 1dab3W-0004Vb-0A
for hansueli.wuerth@ourdomain.ch; Thu, 27 Jul 2017 07:09:50 +0200

The "Envelope-From" ostensibly identifies the user account that authenticated to the source mail server, but it might also be fraudulent. If the envelope-from domain and IP are consistent for SPF purposes, the test will pass.

A lot of legitimate mails are sent by third parties, even as a lot of snail mail is produced and mailed by printing companies on behalf of their clients. So it is annoying but not unreasonable that the internal domain and the visible domain are different.

As best I can tell, the EXIM MTA which is inside UTM, does not even examine the P2 FROM, so there is no known way to filter on it. I think there is an entry in IDEAS.SOPHOS.COM to fix this, which may require finding an alternative to EXIM. If there is not an entry, it would be good to create one.