Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 19 subscribers
  • Views 6740 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

E-mail Gateway malicious url e-mail allowed through

Fred_B


we have received an e-mail using an alias/send as from one of our domains. The e-mail was allowed through and leads to a malicious url. We have enabled the setting in E-mail Security to reject e-mails that impersonate one of our domains: 

Header anomalies
Email that appears to come from your own domain, but originates externally

Now it wasn’t rejected but as this sender does not match our spf or dmarc we feel it should have been quarantined next. It didn’t, not as far as I can see in the logs as it only gives delivered successfully.

Sophos Support claims it is a false positive and that I should send it to Sophos Labs. I can’t do anything with such support answers.

Questions: is send as / alias from a non-domain email adress using a send as / alias of one of our e-mail domains not picked up by:

a] header anomalies?

b] spf and dmarc settings?

Regards,

Fred



Added tags
[edited by: Raphael Alganes at 5:59 AM (GMT -7) on 7 Jun 2023]
Parents
  • 0


    I checked the logs again to see if I reported the messages to SophosLabs as spam, which I did. This time I used a wider date search and found that upto January 20th this identical email, same subject, same content and same sender was quarantined once as a malicious url send to our info@domainA.com and once deleted as spam send to our info@domainB.com. Now 5 days later it is send again January 25th to info@domainC.com and again to info@domainB.com. This time both have delivered successfully in the e-mail logs.

    we have not changed any of our settings in that period. 

    On January 25th I added the IP adress to the general block list to prevent from receiving any more of these emails from that sender.

Reply
  • 0


    I checked the logs again to see if I reported the messages to SophosLabs as spam, which I did. This time I used a wider date search and found that upto January 20th this identical email, same subject, same content and same sender was quarantined once as a malicious url send to our info@domainA.com and once deleted as spam send to our info@domainB.com. Now 5 days later it is send again January 25th to info@domainC.com and again to info@domainB.com. This time both have delivered successfully in the e-mail logs.

    we have not changed any of our settings in that period. 

    On January 25th I added the IP adress to the general block list to prevent from receiving any more of these emails from that sender.

Children
  • 0 in reply to Fred_B

    it seems that this from is not picked up correctly as an anomalie From: =?UTF-8?B?RGl2ZXF1aXBtZW50IERvY3VtZW50IENlbnRlcg==?= <secured_file55916@domainC.com> 

    the senderhas no spf or dmarc and nothing suggests it is spam other that the alias / send as in the from. IMO this should have been treated as header anomalies and rejected.

Unfiltered HTML