This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spoofed Mails, Blacklisted

Hello everyone!

I'm struggling with "spoofed eMail" at a customers site.

They receive email from outside there company with spoofed addresses (e.g. CFO Fraud)

Got get rid of these messages I blacklisted the domain at "MailProtection - SMTP - AntiSpam - Sender Blacklist as "*.abc.com"

In terms of spoofed eMails this is working very well. But...

With these settings the PoD, Reports, etc. are being blocked as well. 

The SMTP Proxy log shows:

2018:12:11-16:18:49 sg01 exim-in[31884]: 2018-12-11 16:18:49 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="127.0.0.1" from="sg@abc.com to="user@abc.com" size="636" reason="sender_blacklist" extra="sg@abc.com
2018:12:11-16:18:49 sg01 exim-in[31884]: 2018-12-11 16:18:49 H=localhost [127.0.0.1]:55949 F=<sg@abc.com> rejected RCPT <user@abc.com: Access denied (sender blacklisted)
2018:12:11-16:18:49 sg01 exim-in[31884]: 2018-12-11 16:18:49 SMTP connection from localhost [127.0.0.1]:55949 closed by DROP in ACL
2018:12:11-16:18:52 sg01 exim-in[5352]: 2018-12-11 16:18:52 SMTP connection from [127.0.0.1]:55952 (TCP/IP connection count = 1)

I tried to configure an exception at "eMailProtection - SMTP - Exceptions" to skip RBL, RDNS, BATV, but since the Sophos UTM uses 127.0.0.1 as host-IP-Address I can not us it as source host.

Another idea of changing the Administrator's email address at "Management - System Settings - Organization Information" to a local domain didn't change the senders mail address for the report, pod, etc. - even after a reboot.

Could someone point me to the "right" direction?

Thank a lot in advance!

Cheers,

Mike



This thread was automatically locked due to age.
Parents
  • Hallo Mike and welcome to the UTM Community!

    The default sender address is do-not-reply@fw-notify.net.  It appears that someone has changed that to sg@abc.com.  I recommend maintaining the default.  Does the problem disappear if you change back to the default on the 'Global' tab of 'Management >> Notifications'?

    Cheers - Bob

    PS Note that it's impossible to stop all spoofs.  The UTM only stops blacklisted senders based on the MAIL FROM command during the establishment of the SMTP conversation.  The content of the "From:" field is a part of the DATA and is not tested.  For example (what I type):

    secure:/root # telnet gmail-smtp-in.l.google.com 25
    Trying 173.194.68.26...
    Connected to gmail-smtp-in.l.google.com.
    Escape character is '^]'.
    220 mx.google.com ESMTP e13si185636qth.59 - gsmtp
    EHLO somedomain.com
    250-mx.google.com at your service, [54.209.14.114]
    250-SIZE 157286400
    250-8BITMIME
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-CHUNKING
    250 SMTPUTF8
    MAIL FROM:<info@somedomain.com>
    250 2.1.0 OK e13si185636qth.59 - gsmtp
    RCPT TO:<someone@gmail.com>
    250 2.1.5 OK e13si185636qth.59 - gsmtp
    DATA
    354  Go ahead e13si185636qth.59 - gsmtp
    From: spoofer@company.com
    Subject: I'm spoofing
    Please send me a gazillion Euros.
    .
    250 2.0.0 OK 1544561852 e13si185636qth.59 - gsmtp
    QUIT
    221 2.0.0 closing connection e13si185636qth.59 - gsmtp
    Connection closed by foreign host.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

     

    thank you for the relay!

    You were right - changing the email address at Management - Notification changed thins for good!

    In my opinion the only "real" solution for/against SPAM/Spoofing/Junk, etc would be pulling the plug ;-)

    Cheers,

    Mike

  • Hello all,

    Actually the most valid solution to counter spoof mail attacks is Sophos Email Appliance and it could resolved as described below

    Sophos Email Appliance: How to block spoofed "From" names

    https://community.sophos.com/kb/en-us/134664

    Of course all necessary SPF DMARC DKIM and SSL Certificate should be in place either way.

    Cheers.

Reply Children
No Data