This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing phishing attack?

We've had someone impersonating an employee of our company through spear phishing attacks. It's clear to see that the email is originating from someone else, and I can easily blacklist those addresses, but they just start again with a new address. What I'd like to do is create a global rule that filters out anything from our real employee that does not have our email domain in the address. I'm having trouble putting together something that does this either in the firewall filter or the SMTP anti-spam settings. Any ideas for how to accomplish this?

This thread was automatically locked due to age.

Parents

0 MentalMickey over 9 years ago

Just setup SPF and add the record into your DNS then anything sent claiming to be you that isn't will get rejected.
Cancel
Vote Up 0 Vote Down

Cancel
0 steagle over 9 years ago in reply to MentalMickey

Just setup SPF and add the record into your DNS then anything sent claiming to be you that isn't will get rejected.

Hey Paul, SPF checking is already enabled in my UTM and I have a SPF record in my public DNS that specifies the allowed IP addresses for our email server. Could you provide an example of how you'd configure the SPF DNS record, so I can compare to mine?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 steagle over 9 years ago in reply to MentalMickey

Just setup SPF and add the record into your DNS then anything sent claiming to be you that isn't will get rejected.

Hey Paul, SPF checking is already enabled in my UTM and I have a SPF record in my public DNS that specifies the allowed IP addresses for our email server. Could you provide an example of how you'd configure the SPF DNS record, so I can compare to mine?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Ol Deda over 7 years ago in reply to steagle

In your DNS records, add a TXT with name @ and value

v=spf1 +a +mx +ip4:0.0.0.0 ~all

Replace 0.0.0.0 with your external IP

Do spf check in Mxtoolbox.com
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 7 years ago in reply to Ol Deda

Unknown said:

In your DNS records, add a TXT with name @ and value

v=spf1 +a +mx +ip4:0.0.0.0 ~all

I would suggest the use of -a not ~a after you tested this. Because ~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged. - (minus) for FAIL, the mail should be rejected.

Best

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 7 years ago in reply to Alexander Busch

Alexander Busch said:

I would suggest the use of -a not ~a after you tested this. Because ~ (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged. - (minus) for FAIL, the mail should be rejected.

Best

Alex

Changing that. I didn't know that. Thank You
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 7 years ago in reply to Ol Deda

Here:
Cancel
Vote Up 0 Vote Down

Cancel
0 offn over 7 years ago in reply to Alexander Busch

But even "-all" will not solve the problem, because "from" is not intercepted by SPF (only "mail from")...
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 7 years ago in reply to offn

I dont think so. Maybe you dont checked "Strict RDNS"

Show as some logs from SMTP and Mail manager
Cancel
Vote Up 0 Vote Down

Cancel
0 offn over 7 years ago in reply to Ol Deda

"strict rdns" is active

the example in this feature request

http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/9893775-in-anti-spam-expression-check-everything-after-da

describes the behaviour
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 7 years ago in reply to offn

Voted
Cancel
Vote Up 0 Vote Down

Cancel
0 alif amirul over 6 years ago in reply to Ol Deda

so it is working?
Cancel
Vote Up 0 Vote Down

Cancel