Header Anomaly - two different mailserver - same domain

is there a way to verify a 2nd mailserver as trusted without getting header anomaly triggered?

We got an external mail service (Amazon SES) for sending mail batches for newsletter etc.
Some of those mails will be send towards internal which tiggers a header anomaly in sophos central caused by the same domain and two different mailservers.

Our goal is that we wanna harden our mail base policy and send these mails header anomaly into quarantine.

Internal Mailserver: @abc123.com
External Mailserver: newsletter@abc123.com

We configured DKIM aswell but it won't get rid of header anomaly internally.

Any ideas how to solve or improve our settings?

Thanks for your input

Added TAGs
[edited by: Raphael Alganes at 2:37 PM (GMT -7) on 24 Apr 2024]

Top Replies

Tom Foucha 11 days ago +1

There are a number of ways to handle this. Easiest and the way I would recommend is create a separate Email Security policy where the sender is newletter@abc123.com in the External tab and turn off Header…

Parents

0 Tom Foucha 11 days ago

There are a number of ways to handle this. Easiest and the way I would recommend is create a separate Email Security policy where the sender is newletter@abc123.com in the External tab and turn off Header Anomaly for that policy. The only time that policy will match is when the sender is newsletter@abc123.com.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Speedfish 11 days ago in reply to Tom Foucha

Thanks for your response and idea.
As soon that "exclusion" gets known then somone else can exploit it, right?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Tom Foucha 11 days ago in reply to Speedfish

That is a risk but if all you are relying on is Header Anomaly for email protection then you are missing the value of the product. You also haven't stated whether your newsletter provider is a permitted sender in your SPF record which would combat the spoof attempt or whether you have done due diligence and have a DMARC record properly setup. You did mention DKIM but as you stated it doesn't solve for internal but I would also assume you've provided a DKIM key to the vendor sending on your behalf. So email security like other security technologies should not be dependent on 1 single engine but a multiple engines that make scoring decisions based on multiple factors to determine the authenticity of a message.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Speedfish 11 days ago in reply to Tom Foucha

Okay true thanks for your comment.
I would like to configure it like you mention above. I also tried it already but the mail always appears in the quarantine now.
Do you have any idea why so?

I got 2 policies now.

On top is the new one which I configured like you showed: I added the newsletter adresse and I put header anomaly tagged as banner

in the 2nd base policy I switched it from tagged as banner to move into quarantine.

Both rules are enforced.

So I thought its top down now.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Tom Foucha 11 days ago in reply to Speedfish

makes sure you are entering envelope sender in the External list.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Tom Foucha 11 days ago in reply to Speedfish

It's always Top Down First rule it hits gets applied. In your example newsletter@abc123.com is likely the From address not the envelope sender address.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Tom Foucha 11 days ago in reply to Speedfish

It's always Top Down First rule it hits gets applied. In your example newsletter@abc123.com is likely the From address not the envelope sender address.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Speedfish 11 days ago in reply to Tom Foucha

the envelope sender address for amazon Simple Email Service does always seems to switch randomly.
any ideas what I can do here?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Speedfish 11 days ago in reply to Tom Foucha

Always lands in the quarantine
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel