This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Stop Spoofed mail from FakeMail websites

Hi,

We are using Sophos UTM 9.204-20 and have the EMail Protection Module.

Mail generated using spoofing websites like from emkei.cz and deadfake.com is being allowed to pass through. I tried spoofing our own domain as well as another domain. It is always being allowed to pass through. We have everything switched on in AntiSpam (ie: RDNS, BATV, RBL, Greylisting, SPF check), and it still is being allowed to pass.

The only solution is to Blacklist the whole domain (ex: Blacklist emkei.cz), but I hardly call that a solution as I don't know every domain that can be used to spoof senders and spoofed mail can really come from anywhere.

Is there a way to block these? I would have thought that a RDNS check would have instantly blocked these, but somehow they are being allowed.

This thread was automatically locked due to age.

0 BAlfson over 10 years ago

Hi, Robert, and welcome to the User BB!

Please show the SMTP log file lines related to one of these emails that was allowed to pass.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 robert.micallef over 10 years ago

Hi Bob,

I uploaded a screenshot of one of these lines. It doesn't show much though. This was sent from deadfake.com.

Thanks,
Robert
Cancel
Vote Up 0 Vote Down

Cancel
0 vilic over 10 years ago

If you want to prevent spoofed external mail for your domain put the *@yourdomain.com in Blacklisted address patterns for incoming SMTP sessions in Antispam tab.
Cancel
Vote Up 0 Vote Down

Cancel
0 robert.micallef over 10 years ago

Hi vilic,

Thanks a lot for the suggestions. It would never have crossed my mind to actually blacklist our own domain. We have left it a day running and it worked perfectly. Some minor problems here and there (due to incorrectly configured automated alerts) but it worked.

Thanks a lot! Much appreciated.
Cancel
Vote Up 0 Vote Down

Cancel
0 thastu over 9 years ago in reply to robert.micallef

Hi Vilic [:)]
Im also geting same issue.And as per your suggestion if i put my domain name in blacklist it will block my domain also right?

Thanks
Thastu
Cancel
Vote Up 0 Vote Down

Cancel
0 thastu over 9 years ago in reply to thastu

Any body help me for this issue im screwd by my customer
Cancel
Vote Up 0 Vote Down

Cancel
0 robert.micallef over 9 years ago in reply to thastu

Hi thatsu blacklisting your own domain should work because e-mails coming from your clients should authenticate against your mail server and hence originate from inside and not come from outside.
Cancel
Vote Up 0 Vote Down

Cancel
0 MentalMickey over 9 years ago

I'm puzzled why SPF doesn't work for you. Is your SPF setup correctly?

We have a setup that requires a number of external locations to send email on our behalf so the only way to defend ourselves is by using SPF. If it's not listed in our own DNS SPF record then it doesn't get allowed in.

To ensure we have a consistent record we replicate the SPF record onto our internal DNS servers so any DNS query returns the correct information.

We see a lot of fake senders and SPF sorts them out no problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 JimKoerner over 9 years ago

Actually looks like I posted almost the same question.
https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/49949

SPF only helps with the MAIL FROM(envelope sender address) in the P1 header and not the FROM(header sender address) in the p2 header. In my case SPF is picking off impersonation in the MAIL FROM but users will get emails that look like they came from themselves. If I look at the envelope header the mail came from a legit server so SPF doesn't help.
Cancel
Vote Up 0 Vote Down

Cancel
0 MentalMickey over 9 years ago in reply to JimKoerner

Actually looks like I posted almost the same question.
https://www.astaro.org/gateway-products/mail-protection-smtp-pop3-antispam-antivirus/59261-block-emails-spoofed-p2-headers.html

SPF only helps with the MAIL FROM(envelope sender address) in the P1 header and not the FROM(header sender address) in the p2 header. In my case SPF is picking off impersonation in the MAIL FROM but users will get emails that look like they came from themselves. If I look at the envelope header the mail came from a legit server so SPF doesn't help.

Ahh, I see that now. Quite sneaky that. Must have a poke around and see what happens when I do that on another system.
Cancel
Vote Up 0 Vote Down

Cancel