Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 18 subscribers
  • Views 3182 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking Email where From and Reply-To are different

Joshua Curry

Pretty much what the subject says, we've been getting spam and phishing emails making it through the Gateway where the From and Reply-To addresses are different. For example the "From" will be "ReasonableName@CompanyWeTrust.com" and the Reply-To will be "TotalPhish@email.ru". Is there any way to flag, quarantine, or block these types of emails?



Added tags
[edited by: Raphael Alganes at 10:04 AM (GMT -7) on 29 May 2023]
  • 0

    It is a difficult one, because there seems to be plenty of legitimate reasons why these can differ. 

    “First things first, but not necessarily in that order” – Doctor Who

  • 0 in reply to j0hnV

    That I completely understand, but for specific groups within our org such as AP/Cash Collections they receive far more phishing and spam using this method than any legitimate email. It's become prevalent enough that Financial Fraud webinars now highlight it as a common threat to watch out for.  The ability to simply highlight it via a banner or quarantine them would be helpful.

  • 0 in reply to Joshua Curry

    Have you thought about tightening security on incoming emails in general? I.e. SPF/DKIM hard fails and others potentially held for approval or quarantined?

    A quick warning email sent to staff that if it's in quarantine to be extremely suspect of it.

Unfiltered HTML