Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 19 subscribers
  • Views 6709 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

E-mail Gateway malicious url e-mail allowed through

Fred_B


we have received an e-mail using an alias/send as from one of our domains. The e-mail was allowed through and leads to a malicious url. We have enabled the setting in E-mail Security to reject e-mails that impersonate one of our domains: 

Header anomalies
Email that appears to come from your own domain, but originates externally

Now it wasn’t rejected but as this sender does not match our spf or dmarc we feel it should have been quarantined next. It didn’t, not as far as I can see in the logs as it only gives delivered successfully.

Sophos Support claims it is a false positive and that I should send it to Sophos Labs. I can’t do anything with such support answers.

Questions: is send as / alias from a non-domain email adress using a send as / alias of one of our e-mail domains not picked up by:

a] header anomalies?

b] spf and dmarc settings?

Regards,

Fred



Added tags
[edited by: Raphael Alganes at 5:59 AM (GMT -7) on 7 Jun 2023]
  • 0


    I checked the logs again to see if I reported the messages to SophosLabs as spam, which I did. This time I used a wider date search and found that upto January 20th this identical email, same subject, same content and same sender was quarantined once as a malicious url send to our info@domainA.com and once deleted as spam send to our info@domainB.com. Now 5 days later it is send again January 25th to info@domainC.com and again to info@domainB.com. This time both have delivered successfully in the e-mail logs.

    we have not changed any of our settings in that period. 

    On January 25th I added the IP adress to the general block list to prevent from receiving any more of these emails from that sender.

  • 0 in reply to Fred_B

    it seems that this from is not picked up correctly as an anomalie From: =?UTF-8?B?RGl2ZXF1aXBtZW50IERvY3VtZW50IENlbnRlcg==?= <secured_file55916@domainC.com> 

    the senderhas no spf or dmarc and nothing suggests it is spam other that the alias / send as in the from. IMO this should have been treated as header anomalies and rejected.

  • 0

    Could you give more context? Header Anomalies only protect from attacks using "Your Domain". So assuming DomainA.com etc. are your domains, correct? 

    See Policy: 

    If this is actually just a Spam Email: Do you have Time of Click active? Did this tool pick up the URL? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    That is correct domainA.com, domainB.com and domainC,com are substitutes for our domains.

    Support first conclusion was that our policy settings were correct and the email should have been rejected or at least quarantined. Last email was that I should report it as a false positive and set the VIP management for these info@domains shared mailboxes. 

    IMHO that is BS. It is a] not a false positive and b] the sender does not impersonate the shared mailbox adress but a none exsting domain adres. 

    Log:

    Policy

    The sender domain does not fail spf or dmarc as it uses it's own domain e-mail server and IP adress and has no spf or dmarc records published. 

    The problem I have is that header anomalies does not see this as an anomaly:

     From: =?UTF-8?B?RGl2ZXF1aXBtZW50IERvY3VtZW50IENlbnRlcg==?= <secured_file55916@domainC.com> 

    To the user it appears as if this was send from our domain. The spammer could have used an existing email to make it look more trustworthy. We are using smart banners so they kwow it was received from outside. 

    IMO it is a fairly simple anti-spam measure to check if the sender from uses one of our domain, check that against our spf and dmarc settings and conclude that it is a header anomaly and should be rejected or at least quarantined. 

    Chronology on january 20th the email to domanA.com was quarantined for a malicious url and to domainB.com as spam. When received again this same email on the 25th it was this time delivered succesfully by Sophos Email to domanB.com and to domainC.com without a quarantine or detecting. 

    We are seeing an uptick of fraud email messages some even from customers whose Ms Cloud accounts are hacked. So we are cautious. 

    Policy settings:

     

    The e-mails were deleted by the users. I have no Endpoint X notifications of the users visiting a malicious site. 

    Regards,

    Fred

  • 0 in reply to Rose Rogers

    Looks like a sales description copied and pasted. 

    Problem is Sophos Central Email Security doesn't work as it should. I have created a new ticket and had to re-enable Sophos Sophos - Remote Assitance now twice while support hasn't done anything,

  • 0 in reply to Fred_B

    Seems like a Spam Reply. Do you have a ticket ID? can help here. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni, 

    The ticket is 05122960. 

    Sophos needs to fix the logic. They need to check the sender IP and helo against the SPF and DMARC settings ot the FROM email domain. If they don't match, apply the SPF and DMARC settings,

    Any outside e-mail with a from domain corresponding to a protected own domain, not matching spf and dmarc should be treated as a header anomaly.

    malicious email should ofcourse be detected.

    Thanks,

    Fred

  • 0 in reply to LuCar Toni

    Hi and ,

    The case 05122960. has been closed again by Sophos Support without doing or communicating anything. The only thing they occasionaly did is check if Sophos Assistance on Central was still enabled and send a request to enable it again. Happened multiple times.

    As a workaround I am blacklisting (sometimes whole ranges) of mail server IP adresses that impersonate us. That stopped most.

    Not that they stop trying, yesterday we received an outside email request to purchase something in the name of the director. Luckily it was not using our email domain so he rang the director to check. If it had used our email domain and was allowed tru the question is if the manager would have doubted the e-mail.

    Regards,

    Fred

  • +1 in reply to Fred_B

    Hello Fred,

    I checked on your case, and Support sent you an email on Jun 23, telling you about some updates, however, there was no reply from your end, or after 3 follow-up emails. 

    In that email, they’re asking you to check a configuration related to the Allow List that might be conflicting with your SPF check.

    Additionally, they provided the following KB , for the error below:

    Results - PermError SPF Permanent Error: Too many DNS lookups

    Did you get a change to read that email?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML