New Sophos Support Phone Numbers in Effect July 1st, 2023

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 15 subscribers
  • Views 4269 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

E-mail Gateway malicious url e-mail allowed through

Fred_B


we have received an e-mail using an alias/send as from one of our domains. The e-mail was allowed through and leads to a malicious url. We have enabled the setting in E-mail Security to reject e-mails that impersonate one of our domains: 

Header anomalies
Email that appears to come from your own domain, but originates externally

Now it wasn’t rejected but as this sender does not match our spf or dmarc we feel it should have been quarantined next. It didn’t, not as far as I can see in the logs as it only gives delivered successfully.

Sophos Support claims it is a false positive and that I should send it to Sophos Labs. I can’t do anything with such support answers.

Questions: is send as / alias from a non-domain email adress using a send as / alias of one of our e-mail domains not picked up by:

a] header anomalies?

b] spf and dmarc settings?

Regards,

Fred



Added tags
[edited by: Raphael Alganes at 9:11 AM (GMT -7) on 2 Jun 2023]
Parents
  • 0 in reply to Rose Rogers

    Looks like a sales description copied and pasted. 

    Problem is Sophos Central Email Security doesn't work as it should. I have created a new ticket and had to re-enable Sophos Sophos - Remote Assitance now twice while support hasn't done anything,

  • 0 in reply to Fred_B

    Seems like a Spam Reply. Do you have a ticket ID? can help here. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni, 

    The ticket is 05122960. 

    Sophos needs to fix the logic. They need to check the sender IP and helo against the SPF and DMARC settings ot the FROM email domain. If they don't match, apply the SPF and DMARC settings,

    Any outside e-mail with a from domain corresponding to a protected own domain, not matching spf and dmarc should be treated as a header anomaly.

    malicious email should ofcourse be detected.

    Thanks,

    Fred

  • 0 in reply to LuCar Toni

    Hi and ,

    The case 05122960. has been closed again by Sophos Support without doing or communicating anything. The only thing they occasionaly did is check if Sophos Assistance on Central was still enabled and send a request to enable it again. Happened multiple times.

    As a workaround I am blacklisting (sometimes whole ranges) of mail server IP adresses that impersonate us. That stopped most.

    Not that they stop trying, yesterday we received an outside email request to purchase something in the name of the director. Luckily it was not using our email domain so he rang the director to check. If it had used our email domain and was allowed tru the question is if the manager would have doubted the e-mail.

    Regards,

    Fred

Reply
  • 0 in reply to LuCar Toni

    Hi and ,

    The case 05122960. has been closed again by Sophos Support without doing or communicating anything. The only thing they occasionaly did is check if Sophos Assistance on Central was still enabled and send a request to enable it again. Happened multiple times.

    As a workaround I am blacklisting (sometimes whole ranges) of mail server IP adresses that impersonate us. That stopped most.

    Not that they stop trying, yesterday we received an outside email request to purchase something in the name of the director. Luckily it was not using our email domain so he rang the director to check. If it had used our email domain and was allowed tru the question is if the manager would have doubted the e-mail.

    Regards,

    Fred

Children
Unfiltered HTML