This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF reject messages flooding impersonated victim

We have this scenario:

  • Bad actor uses some mail server: 192.0.2.25
  • Bad actor attempts to impersonate our CEO: ceo@example.com (spoofed)
  • Bad actor sends e-mails to our finance department and others: ceo@example.com > finance@example.com, ceo@example.com > hr@example.com, ...
  • Bad actor's mails get rejected by our UTM, because our own domain example.com does not list 192.0.2.25 as a legitimate sender
  • Our UTM notifies the sending mail server 192.0.2.25 about the rejected e-mail (due to SPF record checks)
  • Mail server 192.0.2.25 sends "Undelivered Mail Returned to Sender" to ceo@example.com
  • Our CEO gets flooded by those reject messages

 Is there any way to utilize UTM to get rid of those reject notification floods?

Just to be clear: We are fully aware that in the scenario above, the mail server 192.0.2.25 is misconfigured (and probably hijacked by bad actors). Our published SPF records yield the desired result and the SPF checking of our UTM works as intended.

The problem is the backscatter that floods the impersonated victim.

 

 

 



This thread was automatically locked due to age.
Parents Reply Children
  • The out of Office problem is caused by a Microsoft bug , because Exchange does send this messages not as regulary reply mail but as NDR on protocol level.

    We run into this problem often until our mail routing was moved away from Sophos to a central mail managemant in our company. The cisco solution that runs there seems to handle this issue.