Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 9350 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to quarantine specified emails?

ZeusDionysos

Hello everyone,

I have a question regarding the SMTP Protection.

We have two mailservers. A) internal MS Exchange and B) external exim4. The exim4 is only used to temporary store ingoing mails if our internal mailserver is down. So B relays all emails to A through the Sophos. B does not  do spam checks or else, it just relays everything for our internal email to A and drop everything else.

Problem: in the last time hackers try to infiltrate us with ransomware, pretending they got an attached scan.doc from scanner@ourdomain.tld. Here is an email header:

Received: from mail.ourdomain.tld (192.168.1.1) by internal-mail.ourdomain.tld (192.168.1.45) with Microsoft SMTP Server (TLS) id 14.2.347.0; Thu, 11 Feb 2016 12:00:40 +0100
Received: from external.hosted-server.tld ([6.6.6.42]:37011) by mail.ourdomain.tld with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.82_1-5b7a7c0-XX) (envelope-from <scanner@ourdomain.tld>) id 1aToz7-0005E2-0M for info@ourdomain.tld; Thu, 11 Feb 2016 12:00:29 +0100
Received: from [123.231.117.146] by external.hosted-server.tld with esmtp (Exim 4.82) (envelope-from <scanner@ourdomain.tld>) id 1aToz5-000101-T3 for info@ourdomain.tld; Thu, 11 Feb 2016 12:00:28 +0100
From: <scanner@ourdomain.tld>
To: <info@ourdomain.tld>
Subject: =?ISO-8859-1?B?U2NhbiBmcm9tIEtNMTY1MA==?=
Date: Thu, 11 Feb 2016 16:30:18 +0530
Message-ID: <2938692012130000@KM61D7E0>
MIME-Version: 1.0
X-Mailer: NetWorkScanner Mail System Version 1.1
Content-Type: multipart/mixed; boundary="------------VGh1LCAyMSBKYW4gMjAxNiAxNjo1MTo0NSArMDAwMA=="
Return-Path: scanner@ourdomain.tld
X-MS-Exchange-Organization-AuthSource: internal-mail.ourdomain.tld
X-MS-Exchange-Organization-AuthAs: Anonymous
X-Auto-Response-Suppress: DR, OOF, AutoReply

My idea to stop mails like them is to auto quarantine ingoing mails from *@ourdomain.tld because only our internal MS Exchange server should send mails from *@ourdomain.tld.

Question: is this a good way o solve this problem? Are there other (better?) ways to solve this problem?

Best regards

Chris



This thread was automatically locked due to age.
Parents
  • 0

    ZeusDionysos said:

    ....My idea to stop mails like them is to auto quarantine ingoing mails from *@ourdomain.tld because only our internal MS Exchange server should send mails from *@ourdomain.tld.

    Put *@ourdomain.tld in Emai Protection -> SMTP -> Antispam -> Sender Blacklist -> Blacklisted Address Patterns. Messages will be rejected, not quarantined.


Reply
  • 0

    ZeusDionysos said:

    ....My idea to stop mails like them is to auto quarantine ingoing mails from *@ourdomain.tld because only our internal MS Exchange server should send mails from *@ourdomain.tld.

    Put *@ourdomain.tld in Emai Protection -> SMTP -> Antispam -> Sender Blacklist -> Blacklisted Address Patterns. Messages will be rejected, not quarantined.


Children
  • 0 in reply to vilic
    Question: does this only affect ingoing mails from the WAN interface?
    For internal use we send from our DMZ and LAN mails through the Sophos to our internal Exchange Server. Would this still work after adding *@ourdomain.tld to the Sender Blacklist?
  • 0 in reply to ZeusDionysos
    It will work for the incoming mails from the WAN interface (using it in production on many client UTMs), however I am not sure what will happen if the e-mail is sent from a DMZ zone if the sender is declared to be from @.ourdomain.tld domain.
    You can do a test and post results here.
  • 0 in reply to vilic
    Well bevore I began testing your suggestion I realised that we use an external service for sending newsletters in our name which are also going to our employees. So activating the Sender Blacklist for *@ourdomain.tld would block the newsletter from reaching our employees.
    Sending the newsletter from our internal mailserver is not such a good idea, so do you have another idea how I could stop those unwanted e-mails?

    Is there maybe a check that checks if the sender (if it's from *@ourdomain.tld) is existing?
Unfiltered HTML