Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 48342 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block emails spoofed p2 headers

JimKoerner
I am looking to block emails where the FROM in the P2 header is being spoofed using our email addresses.  I can kill these off at the exchange server by removing the ms-exch-smtp-accept-authoritative-domain-sender on the Internet facing domain connector.  Is there a way to kill these via "Email Protection"?  If I add our domain in the "Sender Blacklist" does this look at the P2 header or only the P1 like SPF?

P1 header
mail from: someone@someotherdomain.com
rcpt to: user1@mydomain.com
data

P2 header
from: user1@mydomain.com (problem)
to: user2@mydomain.com
Subject: P1 and P2 headers are different
The P1 and P2 headers will be different in this message.

Thanks,
                 Jim


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    UTM is a wrapper for the Exim MTA www.exim.org

    Exim has a specialized filter language which has its own manual (which I have not studied)  

    So the core product must have the ability, even though the UTM interface does not.   I suggest one of you raise a support case to try to induce them to help you configure your filter rule directly in Exim.

    Then let us know the results...

  • 0 in reply to BAlfson

    Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.

  • +1 in reply to astiadmin

    I have read the Exim documentation and it does not appear that the filter engine extracts P2 From, so it appears to me that there is no way to filter on it at all.

  • 0 in reply to DouglasFoster

    Ah, that's too bad. Thanks for investigating anyway.

  • 0 in reply to DouglasFoster

    In V7.5, the Expression check allowed looking at the "To:" field, and we used that to quarantine emails sent to ex-employees.  Sometime in V8, that capability disappeared.  I don't recall if we used that ability to filter for spoofing in the "From:" field.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to astiadmin

    astiadmin said:

    Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.

     

     

     

    Hi Astiadmin,

     

    is there a way to fix this at the Exchange? because I'm facing the same issue, and 

    in-anti-spam-expression-check-everything-after-data

     

    hasn't been addressed yet...

     

    regards

  • 0 in reply to The Bee

    Hi The Bee,

    well, I found a way at least for my environment. I configured a dedicated FrontendTransport Connector for e-mails coming from the UTM only on both of my DAG members and ran the following Powershell command for each:

    Remove-ADPermission <ReceiveConnector Name> –user “NT AUTHORITY\Anonymous Logon” –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

    Actually I don't know if it really works because I did not yet test it but according to web sources it should exactly do what we want here.

    Regards
    Daniel

Unfiltered HTML