Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Not Answered
  • Replies 9 replies
  • Subscribers 16 subscribers
  • Views 932 views
  • Users 0 members are here
Options
Suggested

Header Anomaly - two different mailserver - same domain

Speedfish

is there a way to verify a 2nd mailserver as trusted without getting header anomaly triggered?

We got an external mail service (Amazon SES) for sending mail batches for newsletter etc.
Some of those mails will be send towards internal which tiggers a header anomaly in sophos central caused by the same domain and two different mailservers.

Our goal is that we wanna harden our mail base policy and send these mails header anomaly into quarantine.

Internal Mailserver: @abc123.com
External Mailserver: newsletter@abc123.com

We configured DKIM aswell but it won't get rid of header anomaly internally.

Any ideas how to solve or improve our settings?

Thanks for your input



Added TAGs
[edited by: Raphael Alganes at 2:37 PM (GMT -7) on 24 Apr 2024]
Parents
  • 0

    There are a number of ways to handle this. Easiest and the way I would recommend is create a separate Email Security policy where the sender is newletter@abc123.com in the External tab and turn off Header Anomaly for that policy. The only time that policy will match is when the sender is newsletter@abc123.com.

  • 0 in reply to Tom Foucha

    Thanks for your response and idea.
    As soon that "exclusion" gets known then somone else can exploit it, right?

  • 0 in reply to Speedfish

    That is a risk but if all you are relying on is Header Anomaly for email protection then you are missing the value of the product. You also haven't stated whether your newsletter provider is a permitted sender in your SPF record which would combat the spoof attempt or whether you have done due diligence and have a DMARC record properly setup. You did mention DKIM but as you stated it doesn't solve for internal but I would also assume you've provided a DKIM key to the vendor sending on your behalf. So email security like other security technologies should not be dependent on 1 single engine but a multiple engines that make scoring decisions based on multiple factors to determine the authenticity of a message. 

Reply
  • 0 in reply to Speedfish

    That is a risk but if all you are relying on is Header Anomaly for email protection then you are missing the value of the product. You also haven't stated whether your newsletter provider is a permitted sender in your SPF record which would combat the spoof attempt or whether you have done due diligence and have a DMARC record properly setup. You did mention DKIM but as you stated it doesn't solve for internal but I would also assume you've provided a DKIM key to the vendor sending on your behalf. So email security like other security technologies should not be dependent on 1 single engine but a multiple engines that make scoring decisions based on multiple factors to determine the authenticity of a message. 

Children
Unfiltered HTML