This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block emails spoofed p2 headers

I am looking to block emails where the FROM in the P2 header is being spoofed using our email addresses.  I can kill these off at the exchange server by removing the ms-exch-smtp-accept-authoritative-domain-sender on the Internet facing domain connector.  Is there a way to kill these via "Email Protection"?  If I add our domain in the "Sender Blacklist" does this look at the P2 header or only the P1 like SPF?

P1 header
mail from: someone@someotherdomain.com
rcpt to: user1@mydomain.com
data

P2 header
from: user1@mydomain.com (problem)
to: user2@mydomain.com
Subject: P1 and P2 headers are different
The P1 and P2 headers will be different in this message.

Thanks,
                 Jim


This thread was automatically locked due to age.
Parents Reply
  • In V7.5, the Expression check allowed looking at the "To:" field, and we used that to quarantine emails sent to ex-employees.  Sometime in V8, that capability disappeared.  I don't recall if we used that ability to filter for spoofing in the "From:" field.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data