Block email faking to be from our domain but coming from outside?

David Jones djones at ena.com
Fri Jun 8 12:40:10 UTC 2018 

On 06/08/2018 07:18 AM, Remco Barendse wrote:
> Thanks for your reply!  These are not bulk spam messages, I'm talking 
> carefully engineered tailor made messages from someone imposing to be 
> myself and trying to persuade someone in finance to make a payment or 
> change bank details.
> 
> That's why I would like to explore options to flag those messages. If 
> mail arrives from outside and our domain name is in the From: address 
> something is terribly wrong :)
> 
> I don't think SpamAssassin would help much in that case?
> 
> 

Do you understand that MailScanner's primary method of scoring and 
blocking email is SpamAssassin?  MailScanner is basically a wrapper for 
SA with some extra checks like icing on the cake.  The cake is SA.

I have an SA rule that does the very thing you are needed to do:

header          __MSGID_ENA_FILTERED    Message-ID =~ /\@ena\.com>/
meta            ENA_MSGID_ENA_FILTERED  !ALL_TRUSTED && __MSGID_ENA_FILTERED
describe        ENA_MSGID_ENA_FILTERED  Message ID ends in a domain that 
ENA filters inbound
score           ENA_MSGID_ENA_FILTERED  8.2

If you showed me the headers of an example email, I could confirm or 
help you setup an SA rule that would block these fake emails.

Dave


> On Fri, 8 Jun 2018, David Jones via MailScanner wrote:
> 
>> On 06/08/2018 04:35 AM, Remco Barendse wrote:
>>> See more and more messages incoming with fraud attempts. The mail is 
>>> constructed to look like from someone in our organization sent it and 
>>> is addressed to people within the organization.
>>>
>>> Is there any way to block email with a sender that pretends to be 
>>> coming from @myowndomain.com but coming from outside?
>>>
>>> I use Exchange and all real email is coming only from Exchange, never 
>>> from outside.
>>>
>>> What would be the right way to do it?
>>>
>>>
>>>
>>> Also, some companies sign incoming email messages with a one liner as 
>>> the very first line of an email like :
>>> "THIS EMAIL ORIGINATED FROM OUTSIDE OUR ORGANIZATION"
>>>
>>> How to do that ? I found that MailScanner can sign messages but only 
>>> at the bottom of an email?
>>>
>>>
>>
>> This might be a better question for the SpamAssassin Users list but I 
>> can help anyway.  Please post an example with minimal redacting to 
>> pastebin.com and send us a link.  There are about a dozen or two 
>> things that that can be tuned in SpamAssassin but I have a feeling 
>> that you can use the Message-ID header to determine spoofed inbound 
>> messages.
>>
>>


-- 
David Jones

More information about the MailScanner mailing list