Block email faking to be from our domain but coming from outside?
djones at ena.com
Fri Jun 8 12:40:10 UTC 2018
On 06/08/2018 07:18 AM, Remco Barendse wrote:
> Thanks for your reply! These are not bulk spam messages, I'm talking
> carefully engineered tailor made messages from someone imposing to be
> myself and trying to persuade someone in finance to make a payment or
> change bank details.
> That's why I would like to explore options to flag those messages. If
> mail arrives from outside and our domain name is in the From: address
> something is terribly wrong :)
> I don't think SpamAssassin would help much in that case?
Do you understand that MailScanner's primary method of scoring and
blocking email is SpamAssassin? MailScanner is basically a wrapper for
SA with some extra checks like icing on the cake. The cake is SA.
I have an SA rule that does the very thing you are needed to do:
header __MSGID_ENA_FILTERED Message-ID =~ /\@ena\.com>/
meta ENA_MSGID_ENA_FILTERED !ALL_TRUSTED && __MSGID_ENA_FILTERED
describe ENA_MSGID_ENA_FILTERED Message ID ends in a domain that
ENA filters inbound
score ENA_MSGID_ENA_FILTERED 8.2
If you showed me the headers of an example email, I could confirm or
help you setup an SA rule that would block these fake emails.
> On Fri, 8 Jun 2018, David Jones via MailScanner wrote:
>> On 06/08/2018 04:35 AM, Remco Barendse wrote:
>>> See more and more messages incoming with fraud attempts. The mail is
>>> constructed to look like from someone in our organization sent it and
>>> is addressed to people within the organization.
>>> Is there any way to block email with a sender that pretends to be
>>> coming from @myowndomain.com but coming from outside?
>>> I use Exchange and all real email is coming only from Exchange, never
>>> from outside.
>>> What would be the right way to do it?
>>> Also, some companies sign incoming email messages with a one liner as
>>> the very first line of an email like :
>>> "THIS EMAIL ORIGINATED FROM OUTSIDE OUR ORGANIZATION"
>>> How to do that ? I found that MailScanner can sign messages but only
>>> at the bottom of an email?
>> This might be a better question for the SpamAssassin Users list but I
>> can help anyway. Please post an example with minimal redacting to
>> pastebin.com and send us a link. There are about a dozen or two
>> things that that can be tuned in SpamAssassin but I have a feeling
>> that you can use the Message-ID header to determine spoofed inbound
More information about the MailScanner