Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 17 subscribers
  • Views 5651 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Header Anomaly - two different mailserver - same domain

Speedfish

is there a way to verify a 2nd mailserver as trusted without getting header anomaly triggered?

We got an external mail service (Amazon SES) for sending mail batches for newsletter etc.
Some of those mails will be send towards internal which tiggers a header anomaly in sophos central caused by the same domain and two different mailservers.

Our goal is that we wanna harden our mail base policy and send these mails header anomaly into quarantine.

Internal Mailserver: @abc123.com
External Mailserver: newsletter@abc123.com

We configured DKIM aswell but it won't get rid of header anomaly internally.

Any ideas how to solve or improve our settings?

Thanks for your input



This thread was automatically locked due to age.
Parents
  • 0

    There are a number of ways to handle this. Easiest and the way I would recommend is create a separate Email Security policy where the sender is newletter@abc123.com in the External tab and turn off Header Anomaly for that policy. The only time that policy will match is when the sender is newsletter@abc123.com.

  • 0 in reply to Tom Foucha

    Thanks for your response and idea.
    As soon that "exclusion" gets known then somone else can exploit it, right?

  • 0 in reply to Speedfish

    That is a risk but if all you are relying on is Header Anomaly for email protection then you are missing the value of the product. You also haven't stated whether your newsletter provider is a permitted sender in your SPF record which would combat the spoof attempt or whether you have done due diligence and have a DMARC record properly setup. You did mention DKIM but as you stated it doesn't solve for internal but I would also assume you've provided a DKIM key to the vendor sending on your behalf. So email security like other security technologies should not be dependent on 1 single engine but a multiple engines that make scoring decisions based on multiple factors to determine the authenticity of a message. 

  • 0 in reply to Tom Foucha

    Okay true thanks for your comment.
    I would like to configure it like you mention above. I also tried it already but the mail always appears in the quarantine now.
    Do you have any idea why so?

    I got 2 policies now.

    On top is the new one which I configured like you showed: I added the newsletter adresse and I put header anomaly tagged as banner

    in the 2nd base policy I switched it from tagged as banner to move into quarantine.

    Both rules are enforced.

    So I thought its top down now.

Reply
  • 0 in reply to Tom Foucha

    Okay true thanks for your comment.
    I would like to configure it like you mention above. I also tried it already but the mail always appears in the quarantine now.
    Do you have any idea why so?

    I got 2 policies now.

    On top is the new one which I configured like you showed: I added the newsletter adresse and I put header anomaly tagged as banner

    in the 2nd base policy I switched it from tagged as banner to move into quarantine.

    Both rules are enforced.

    So I thought its top down now.

Children
Unfiltered HTML