This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block emails spoofed p2 headers

I am looking to block emails where the FROM in the P2 header is being spoofed using our email addresses. I can kill these off at the exchange server by removing the ms-exch-smtp-accept-authoritative-domain-sender on the Internet facing domain connector. Is there a way to kill these via "Email Protection"? If I add our domain in the "Sender Blacklist" does this look at the P2 header or only the P1 like SPF?

P1 header
mail from: someone@someotherdomain.com
rcpt to: user1@mydomain.com
data

P2 header
from: user1@mydomain.com (problem)
to: user2@mydomain.com
Subject: P1 and P2 headers are different
The P1 and P2 headers will be different in this message.

Thanks,
Jim

This thread was automatically locked due to age.

Parents

0 DouglasFoster over 7 years ago

You should be aware that a vast amount of legitimate mail is sent by third party services, and in most of those cases the P1 and P2 domains will not match.

Technically, the P1 information is supposed to be the identity of the user account which generated the message. At some websites, if it knows you by your email address, and you use it to generate an email, it may send with your email address as P1. I have given up on SPF.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DouglasFoster over 7 years ago

You should be aware that a vast amount of legitimate mail is sent by third party services, and in most of those cases the P1 and P2 domains will not match.

Technically, the P1 information is supposed to be the identity of the user account which generated the message. At some websites, if it knows you by your email address, and you use it to generate an email, it may send with your email address as P1. I have given up on SPF.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 7 years ago in reply to DouglasFoster

Doug, please vote for and comment on: In Anti-Spam, Expression-check everything after DATA or include From

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 7 years ago in reply to BAlfson

UTM is a wrapper for the Exim MTA www.exim.org

Exim has a specialized filter language which has its own manual (which I have not studied)

So the core product must have the ability, even though the UTM interface does not. I suggest one of you raise a support case to try to induce them to help you configure your filter rule directly in Exim.

Then let us know the results...
Cancel
Vote Up 0 Vote Down

Cancel
0 astiadmin over 7 years ago in reply to BAlfson

Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.
Cancel
Vote Up 0 Vote Down

Cancel
+1 DouglasFoster over 7 years ago in reply to astiadmin

I have read the Exim documentation and it does not appear that the filter engine extracts P2 From, so it appears to me that there is no way to filter on it at all.
Cancel
Vote Up 0 Vote Down

Cancel
0 astiadmin over 7 years ago in reply to DouglasFoster

Ah, that's too bad. Thanks for investigating anyway.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to DouglasFoster

In V7.5, the Expression check allowed looking at the "To:" field, and we used that to quarantine emails sent to ex-employees. Sometime in V8, that capability disappeared. I don't recall if we used that ability to filter for spoofing in the "From:" field.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 The Bee over 6 years ago in reply to astiadmin

astiadmin said:

Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.

Hi Astiadmin,

is there a way to fix this at the Exchange? because I'm facing the same issue, and

in-anti-spam-expression-check-everything-after-data

hasn't been addressed yet...

regards
Cancel
Vote Up 0 Vote Down

Cancel
0 astiadmin over 6 years ago in reply to The Bee

Hi The Bee,

well, I found a way at least for my environment. I configured a dedicated FrontendTransport Connector for e-mails coming from the UTM only on both of my DAG members and ran the following Powershell command for each:

Remove-ADPermission <ReceiveConnector Name> –user “NT AUTHORITY\Anonymous Logon” –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Actually I don't know if it really works because I did not yet test it but according to web sources it should exactly do what we want here.

Regards
Daniel
Cancel
Vote Up 0 Vote Down

Cancel