This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block emails spoofed p2 headers

I am looking to block emails where the FROM in the P2 header is being spoofed using our email addresses.  I can kill these off at the exchange server by removing the ms-exch-smtp-accept-authoritative-domain-sender on the Internet facing domain connector.  Is there a way to kill these via "Email Protection"?  If I add our domain in the "Sender Blacklist" does this look at the P2 header or only the P1 like SPF?

P1 header
mail from: someone@someotherdomain.com
rcpt to: user1@mydomain.com
data

P2 header
from: user1@mydomain.com (problem)
to: user2@mydomain.com
Subject: P1 and P2 headers are different
The P1 and P2 headers will be different in this message.

Thanks,
                 Jim


This thread was automatically locked due to age.
  • UTM is a wrapper for the Exim MTA www.exim.org

    Exim has a specialized filter language which has its own manual (which I have not studied)  

    So the core product must have the ability, even though the UTM interface does not.   I suggest one of you raise a support case to try to induce them to help you configure your filter rule directly in Exim.

    Then let us know the results...

  • Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.

  • I have read the Exim documentation and it does not appear that the filter engine extracts P2 From, so it appears to me that there is no way to filter on it at all.

  • Ah, that's too bad. Thanks for investigating anyway.

  • In V7.5, the Expression check allowed looking at the "To:" field, and we used that to quarantine emails sent to ex-employees.  Sometime in V8, that capability disappeared.  I don't recall if we used that ability to filter for spoofing in the "From:" field.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • astiadmin said:

    Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.

     

     

     

    Hi Astiadmin,

     

    is there a way to fix this at the Exchange? because I'm facing the same issue, and 

    in-anti-spam-expression-check-everything-after-data

     

    hasn't been addressed yet...

     

    regards

  • Hi The Bee,

    well, I found a way at least for my environment. I configured a dedicated FrontendTransport Connector for e-mails coming from the UTM only on both of my DAG members and ran the following Powershell command for each:

    Remove-ADPermission <ReceiveConnector Name> –user “NT AUTHORITY\Anonymous Logon” –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

    Actually I don't know if it really works because I did not yet test it but according to web sources it should exactly do what we want here.

    Regards
    Daniel

  • This is a reply to an old post, but adding this now for others who stumble into the discussion again.

    Not sure why UTM could not send quarantine reports.   It should be configured to long onto your mail server with credentials

    Managment... Notifications... Advanced... Authentication (checked, followed by a username and password).   The username there should be consistent with the sender name on the Notification... General tab.

    Alternatively, you configure an Exchange Receive Connector to filter on IP Address instead of authentication, then put the UTM Address into the allowed list.

  • "Is there a way to kill these via "Email Protection"?  If I add our domain in the "Sender Blacklist" does this look at the P2 header or only the P1 like SPF?" This blacklist is matched against the envelope sender of incoming SMTP sessions. Yes, you can stop them by adding your own domain to the Blacklist, something we have done for several domains, but the problem is when you have external senders, sending on behalf of you, SPF record, then you which to make an exception for those senders that ARE allowed to send on behalf of you, to you, but this is not possible. Answer from Sophos Support: The blacklist will be checked, matched and blocked, before the exception rule is reach/processed.