This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking Spoofed Email

One of my client's user received an email that outlook said was from his boss asking to have money transfer. The user contacted the supposed sender of the email and he did not send it. 

Here is the censored header:

Internal User 1 is the receiving party and internal user 2 is the supposed sender. 

Received: from mail.MYDOMAIN.com (192.168.1.250) by
 mail.MYDOMAIN.com (192.168.1.3) with Microsoft SMTP Server (TLS) id
 14.2.347.0; Fri, 9 Oct 2015 09:20:32 -0500
Received: from p3plsmtp17-03-2.prod.phx3.secureserver.net
 ([173.201.193.166]:52307 helo=p3plwbeout17-03.prod.phx3.secureserver.net) by
 mail.MYDOMAIN.com with esmtps (TLSv1.2: DHE-RSA-AES128-SHA:128) (Exim
 4.82_1-5b7a7c0-XX) (envelope-from ) id
 1ZkYX2-0001Iu-1n for internaluser1@MYDOMAIN.com; Fri, 09 Oct 2015 09:20:24
 -0500
Received: from localhost ([173.201.193.244]) by
 p3plwbeout17-03.prod.phx3.secureserver.net with bizsmtp id
 T2FM1r0015GqqD1012FMnN; Fri, 09 Oct 2015 07:15:21 -0700
X-CTCH-RefID: str=0001.0A020201.5617CD28.01F2,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-SID: T2FM1r0015GqqD101
Received: (qmail 17723 invoked by uid 99); 9 Oct 2015 14:15:21 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 154.118.20.191
User-Agent: Workspace Webmail 5.15.9
Message-ID: 
From: Internal User 2 
X-Sender: accounting2@ralogistics.us
Reply-To: Internal User 2 
To: 
Subject: Transfer
Date: Fri, 9 Oct 2015 07:15:19 -0700
MIME-Version: 1.0
Return-Path: accounting2@ralogistics.us
X-MS-Exchange-Organization-AuthSource: EX2010.int.mydomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous


We have an SPF record setup with a hard fail. I read a similar post that recommended blocking external email from our domain, but we have another company that sends mail on our behalf, including sending to us. Any ideas on how we can prevent this from happening again?

I have blocked the actual source domain of the email, but it won't take much for the spammer to change..

Thanks!
Bob


This thread was automatically locked due to age.
Parents
  • Hi Bob,

    As mentioned by BAlfson, please post the required logs. Also post the outputs for-

    1. Run nslookup -q=txt yourdomain.com from any workstation and post the output. 

    2. dig -tTXT yourdomain.com from UTM.

    Finally, verify that there is no Whitelist or exception configured for the Boss email address/ IP address. One of the most possible and silly cause.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • Hi Bob,

    As mentioned by BAlfson, please post the required logs. Also post the outputs for-

    1. Run nslookup -q=txt yourdomain.com from any workstation and post the output. 

    2. dig -tTXT yourdomain.com from UTM.

    Finally, verify that there is no Whitelist or exception configured for the Boss email address/ IP address. One of the most possible and silly cause.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
No Data