This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking Spoofed Email

One of my client's user received an email that outlook said was from his boss asking to have money transfer. The user contacted the supposed sender of the email and he did not send it. 

Here is the censored header:

Internal User 1 is the receiving party and internal user 2 is the supposed sender. 

Received: from mail.MYDOMAIN.com (192.168.1.250) by
 mail.MYDOMAIN.com (192.168.1.3) with Microsoft SMTP Server (TLS) id
 14.2.347.0; Fri, 9 Oct 2015 09:20:32 -0500
Received: from p3plsmtp17-03-2.prod.phx3.secureserver.net
 ([173.201.193.166]:52307 helo=p3plwbeout17-03.prod.phx3.secureserver.net) by
 mail.MYDOMAIN.com with esmtps (TLSv1.2: DHE-RSA-AES128-SHA:128) (Exim
 4.82_1-5b7a7c0-XX) (envelope-from ) id
 1ZkYX2-0001Iu-1n for internaluser1@MYDOMAIN.com; Fri, 09 Oct 2015 09:20:24
 -0500
Received: from localhost ([173.201.193.244]) by
 p3plwbeout17-03.prod.phx3.secureserver.net with bizsmtp id
 T2FM1r0015GqqD1012FMnN; Fri, 09 Oct 2015 07:15:21 -0700
X-CTCH-RefID: str=0001.0A020201.5617CD28.01F2,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-SID: T2FM1r0015GqqD101
Received: (qmail 17723 invoked by uid 99); 9 Oct 2015 14:15:21 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 154.118.20.191
User-Agent: Workspace Webmail 5.15.9
Message-ID: 
From: Internal User 2 
X-Sender: accounting2@ralogistics.us
Reply-To: Internal User 2 
To: 
Subject: Transfer
Date: Fri, 9 Oct 2015 07:15:19 -0700
MIME-Version: 1.0
Return-Path: accounting2@ralogistics.us
X-MS-Exchange-Organization-AuthSource: EX2010.int.mydomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous


We have an SPF record setup with a hard fail. I read a similar post that recommended blocking external email from our domain, but we have another company that sends mail on our behalf, including sending to us. Any ideas on how we can prevent this from happening again?

I have blocked the actual source domain of the email, but it won't take much for the spammer to change..

Thanks!
Bob


This thread was automatically locked due to age.
  • How about:
    - Blacklist address pattern for *@yourdomain.com in Antispam settings.
    - Create exception for "Antispam checking" for IP address of your partner company SMTP server ?
  • Sorry to barge in on this but we've been hit by exactly the same type of thing.
  • Hi all,

    Did you ever succeed with this setup?

    The CFO Fraud is killing me, as I cannot block them in UTM, because of for forged envelope from....

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Martin, please post the lines from the SMTP log related to one of these emails.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This should work with SPF and hardfails, exactly the way how I have configured it in my setup.

    Not a single spoofed email gets through unless it is on an exclusion list. You may want to recheck whether you may have some exclusions that exclude your domain from SPF checks or something.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hi Bob,

    As mentioned by BAlfson, please post the required logs. Also post the outputs for-

    1. Run nslookup -q=txt yourdomain.com from any workstation and post the output. 

    2. dig -tTXT yourdomain.com from UTM.

    Finally, verify that there is no Whitelist or exception configured for the Boss email address/ IP address. One of the most possible and silly cause.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • The best remedy against CFO-fraud is to adjust your processes to always double-check with your CFO whether or not the request was originating from the CFO.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.