We are using UTM as our mail gateway, lately, a lot of our users have received spoofing emails that appear from themself.
We use emailspooftest dotcom site to test our mail servers, and it detects the problem was
Internal authentication is not enforced.Fix: On inbound email gateways, only allow specific IP addresses to send mail from internal domains or force an auth challenge for internal domains. This is typically a relay setting.
Could anyone suggest how to fix this problem in Sophos?
We have SPF check enabled, it seems that Sophos UTM doesn't enforce relay authentication check, which makes our server an open relay.
This is the spoofing email header that looks like
Received: from EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) by EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8 via Mailbox Transport; Wed, 4 May 2022 04:16:58 +1000 Received: from EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) by EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Wed, 4 May 2022 04:16:58 +1000 Received: from ip-1xxxxxxxx-2.compute.internal (10.2.6.109) by EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8 via Frontend Transport; Wed, 4 May 2022 04:17:40 +1000 Received: from [10.2.6.120] (helo=mail.MYDOMAIN.net) by ip-1xxxxxxxx-2.compute.internal with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <lxxxxx@xxxxx.com>) id 1nlx5g-0003dL-JJ for lxxxxx@xxxxx.com; Wed, 04 May 2022 04:17:40 +1000 Received: from mail.ghfhgdg.com ([85.239.34.13]:33068) by mail.MYDOMAIN.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <lxxxxx@xxxxx.com>) id 1nlx5X-00057p-2m for lxxxxx@xxxxx.com; Wed, 04 May 2022 04:17:32 +1000 Received: from ip63.ip-51-91-202.eu ([51.91.202.63]:53416 helo=galsan.com) by mail.ghfhgdg.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <lxxxxx@xxxxx.com>) id 1nlx5V-0007v8-Vs for lxxxxx@xxxxx.com; Tue, 03 May 2022 21:17:28 +0300 X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000, BODYTEXTP_SIZE_3000_LESS 0.000000, BODYTEXTP_SIZE_400_LESS 0.000000, BODY_SIZE_10000_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000, EXCESSIVE_SUBDOMAINS7 3.000000, FRAUD_ATTACH 0.050000, FROM_NAME_ALLCAPS 0.100000, FROM_RCPT_DOMAIN_NOT_IN_RCVD 0.000000, FROM_SAME_AS_TO_DOMAIN 0.000000, HTML_90_100 0.100000, HTML_95_100 0.100000, IMGSPAM_TABLE_1 0.000000, NO_FUR_HEADER 0.000000, NO_URI_HTTPS 0.000000, OUTBOUND 0.000000, OUTBOUND_SOPHOS 0.000000, SENDER_NO_AUTH 0.000000, SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_HREF_URI_WITH_EMAIL 0.000000, __ANY_URI 0.000000, __ATTACHMENT_PHRASE 0.000000, __BODY_NO_MAILTO 0.000000, __BULK_NEGATE 0.000000, __CSHC_NS_B_FN_FA 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000, __DATA_URL_SCHEME 0.000000, __DATE_TZ_HK 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __EXCESSIVE_SUBDOMAINS6 0.000000, __EXCESSIVE_SUBDOMAINS7 0.000000, __FAX_BODY 0.000000, __FILESHARE_PHRASE 0.000000, __FRAUD_ANTIABUSE 0.000000, __FROM_DOMAIN_IN_ANY_TO1 0.000000, __FROM_DOMAIN_IN_RCPT 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_RDNS_SOPHOS 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000, __HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000, __HTML_TAG_TABLE 0.000000, __IMGSPAM_TABLE_1 0.000000, __IMG_THEN_TEXT 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000, __MULTIPLE_URI_TEXT 0.000000, __OUTBOUND_SOPHOS_FUR 0.000000, __OUTBOUND_SOPHOS_FUR_IP 0.000000, __OUTBOUND_SOPHOS_FUR_RDNS 0.000000, __PHISH_PHRASE10_D 0.000000, __RCPT_DOMAIN_IS_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000, __SUBJ_ALPHA_END 0.000000, __TAG_EXISTS_HTML 0.000000, __TO_DOMAIN_IN_FROM 0.000000, __TO_DOMAIN_IN_MSGID 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000, __URI_EMAIL_IN_QUERY 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000 X-SASI-Probability: 30% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.5.3.173622 From: HOA ORDERS <lxxxxx@xxxxx.com> To: <lxxxxx@xxxxx.com> Subject: Requested HOA Letter Date: Wed, 4 May 2022 02:17:27 +0800 Message-ID: <20220504021727.BFD45D6D250BF3FA@xxxxx.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0012_1F95ED89.02DDA1DF" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - mail.ghfhgdg.com X-AntiAbuse: Original Domain - xxxxx.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - xxxxx.com X-Get-Message-Sender-Via: mail.ghfhgdg.com: authenticated_id: dennis@ghfhgdg.com X-Authenticated-Sender: mail.ghfhgdg.com: dennis@ghfhgdg.com X-Source: X-Source-Args: X-Source-Dir: Return-Path: lxxxxx@xxxxx.com X-MS-Exchange-Organization-Network-Message-Id: 2be4961d-c269-4b3a-e3f4-08da2d3135da X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-AuthSource: EX2016-MDB-AN.MYDOMAIN.Hosted X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008
Are you sure that you have -all instead of ~all in your DNS SPF record?
Cheers - Bob