This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF check not working on phishing mails

Hey Guys

We're having some trouble with phishing mails. The mails are looking like they are coming from one of our domains. This is the header (I censored some values):

 

Received: from MX01.ourdomain.ch (192.168.110.19) by MX01.ourdomain.ch
(192.168.110.19) with Microsoft SMTP Server (TLS) id 15.0.1293.2 via Mailbox
Transport; Thu, 27 Jul 2017 07:09:52 +0200
Received: from MX01.ourdomain.ch (192.168.110.19) by MX01.ourdomain.ch
(192.168.110.19) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Thu, 27 Jul
2017 07:09:52 +0200
Received: from utm.ourdomain.net (8.8.8.8) by MX01.ourdomain.ch
(192.168.110.19) with Microsoft SMTP Server (TLS) id 15.0.1293.2 via Frontend
Transport; Thu, 27 Jul 2017 07:09:52 +0200
Received: from p3plsmtp06-06-2.prod.phx3.secureserver.net ([97.74.135.61]:32798 helo=p3plwbeout06-06.prod.phx3.secureserver.net)
by utm.ourdomain.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.82_1-5b7a7c0-XX)
(envelope-from <coyltm@outsourcedparalegalservices.com>)
id 1dab3W-0004Vb-0A
for hansueli.wuerth@ourdomain.ch; Thu, 27 Jul 2017 07:09:50 +0200
Received: from localhost ([97.74.135.16])
by :WBEOUT: with SMTP
id aavrdkJp5RW0maavrdbZZo; Wed, 26 Jul 2017 22:01:55 -0700
Received: (qmail 9835 invoked by uid 99); 27 Jul 2017 05:01:55 -0000
From: Hans Peter <hans.peter@ourdomain.ch>
To: <hansueli.steck@ourdomain.ch>
Subject: =?utf-8?B?U0VQQS9BdXNsYW5kc8O8YmVyd2Vpc3VuZw==?=
Thread-Topic: =?utf-8?B?U0VQQS9BdXNsYW5kc8O8YmVyd2Vpc3VuZw==?=
Thread-Index: AQHTBpaUIJao8jCRdkCqU8pTtJMqZA==
Date: Thu, 27 Jul 2017 05:01:53 +0000
Message-ID: <20170726220153.291ba9ef5338a76a8a2301db4d3f8952.c0649b8c8a.wbe@email06.godaddy.com>
Reply-To: Hans Peter <mykcome@gmail.com>
Content-Language: de-CH
X-MS-Exchange-Organization-AuthSource: MX01.ourdomain.ch
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: 50.63.197.83
user-agent: Workspace Webmail 6.8.5
x-sender: coyltm@outsourcedparalegalservices.com
Content-Type: multipart/alternative;
boundary="_000_20170726220153291ba9ef5338a76a8a2301db4d3f8952c0649b8c8_"
MIME-Version: 1.0

 

Now, our UTM shows coyltm@outsourcedparalegalservices.com as the sender, outlook shows hans.peter@ourdomain.ch. The sender asks for some payments and if the user answers, the mail goes to mykcome@gmail.com, as you can see in the header.

It's clear why the spf check doesn't work in this case, but any idea how we can filter this kind of mails?



This thread was automatically locked due to age.
Parents Reply Children
No Data