Reject messages from outside my domain with FROM HEADER from inside (forgery)

Thu Jul 25 21:10:24 IST 2013

I think you're right.  I didn't notice that you were already using SPF.  I should have read closer - sorry.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Thiago Bemerguy
Sent: Thursday, July 25, 2013 10:45 AM
To: MailScanner discussion
Subject: Re: Reject messages from outside my domain with FROM HEADER from inside (forgery)

as far as I know spf only avoid forgery in envelop sender address, not in FROM that is displayed to the user.

2013/7/25 Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>>
Implement SPF records in your DNS.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Thiago Bemerguy
Sent: Thursday, July 25, 2013 6:50 AM
To: mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Subject: Reject messages from outside my domain with FROM HEADER from inside (forgery)

Hello,

I have an Exchange 2010 server with MailScanner for filtering external messages. The users are receiving phishing messages from outside my network with FROM header forged with email addresses from my domain. Is there any way to avoid that messages from outside come with certain email addresses, like filtering email and ip address or MTA hostname?

Following the header of the phishing message

Received-SPF: none (beetobee.it<http://beetobee.it>: No applicable sender policy available) receiver=????.com; identity=mailfrom; envelope-from="www-data at beetobee.it<mailto:www-data at beetobee.it>"; helo=mail.beetobee.it<http://mail.beetobee.it>; client-ip=???
???.com (Postfix) with ESMTP id BE94320722        for
 <address1 at internal.com<mailto:address1 at internal.com>>;
Received: by mail.beetobee.it<http://mail.beetobee.it> (Postfix, from userid 33)        id 6D9D2291ADE;
To: <address1 at internal.com<mailto:address1 at internal.com>>
Subject: .....
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
X-Mailer: Microsoft Office Outlook, Build 17.551210
From: <address1 at internal.com<mailto:address1 at internal.com>> (forged)
Message-ID: <????@mail.beetobee.it<http://mail.beetobee.it>>
Date:
X-TCE-MailScanner-ID: BE94320722.89A9A
X-TCE-MailScanner: Found to be clean
X-TCE-MailScanner-SpamScore: sss
X-TCE-MailScanner-From: www-data at beetobee.it<mailto:www-data at beetobee.it>
X-Spam-Status: No
Return-Path: www-data at beetobee.it<mailto:www-data at beetobee.it>
X-MS-Exchange-Organization-AuthSource: Maia.tce.pa<http://Maia.tce.pa>
X-MS-Exchange-Organization-AuthAs: Anonymous

We have SPF configured but I think it only protects envelope sender address.

Thanks in advance,

--
Thiago Bemerguy
thiagobemerguy at gmail.com<mailto:thiagobemerguy at gmail.com>

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

--
Thiago Bemerguy
thiagobemerguy at gmail.com<mailto:thiagobemerguy at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130725/4b3de13c/attachment.html 