Block emails spoofed p2 headers

UTM is a wrapper for the Exim MTA www.exim.org

Exim has a specialized filter language which has its own manual (which I have not studied)  

So the core product must have the ability, even though the UTM interface does not.   I suggest one of you raise a support case to try to induce them to help you configure your filter rule directly in Exim.

Then let us know the results...

Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.

I have read the Exim documentation and it does not appear that the filter engine extracts P2 From, so it appears to me that there is no way to filter on it at all.

Ah, that's too bad. Thanks for investigating anyway.

In V7.5, the Expression check allowed looking at the "To:" field, and we used that to quarantine emails sent to ex-employees.  Sometime in V8, that capability disappeared.  I don't recall if we used that ability to filter for spoofing in the "From:" field.

Cheers - Bob

astiadmin said:

Thanks Bob, I voted for your request. Actually I don't understand how this can be so complicated to implement. Well, I need to address this at the Exchange side then.

 

Hi Astiadmin,

is there a way to fix this at the Exchange? because I'm facing the same issue, and 

in-anti-spam-expression-check-everything-after-data

hasn't been addressed yet...

regards

Hi The Bee,

well, I found a way at least for my environment. I configured a dedicated FrontendTransport Connector for e-mails coming from the UTM only on both of my DAG members and ran the following Powershell command for each:

Remove-ADPermission <ReceiveConnector Name> –user “NT AUTHORITY\Anonymous Logon” –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Actually I don't know if it really works because I did not yet test it but according to web sources it should exactly do what we want here.

Regards
Daniel

This is a reply to an old post, but adding this now for others who stumble into the discussion again.

Not sure why UTM could not send quarantine reports.   It should be configured to long onto your mail server with credentials

Managment... Notifications... Advanced... Authentication (checked, followed by a username and password).   The username there should be consistent with the sender name on the Notification... General tab.

Alternatively, you configure an Exchange Receive Connector to filter on IP Address instead of authentication, then put the UTM Address into the allowed list.

"Is there a way to kill these via "Email Protection"?  If I add our domain in the "Sender Blacklist" does this look at the P2 header or only the P1 like SPF?" This blacklist is matched against the envelope sender of incoming SMTP sessions. Yes, you can stop them by adding your own domain to the Blacklist, something we have done for several domains, but the problem is when you have external senders, sending on behalf of you, SPF record, then you which to make an exception for those senders that ARE allowed to send on behalf of you, to you, but this is not possible. Answer from Sophos Support: The blacklist will be checked, matched and blocked, before the exception rule is reach/processed.