<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Courier New";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";color:#1F497D'>I think you’re right. I didn’t notice that you were already using SPF. I should have read closer – sorry.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Courier New";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;color:#1F497D'> ...Kevin<br>--<br>Kevin Miller<br>Network/email Administrator, CBJ MIS Dept.<br>155 South Seward Street<br>Juneau, Alaska 99801<br>Phone: (907) 586-0242, Fax: (907) 586-4500<br>Registered Linux User No: 307357</span><span style='color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Courier New";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] <b>On Behalf Of </b>Thiago Bemerguy<br><b>Sent:</b> Thursday, July 25, 2013 10:45 AM<br><b>To:</b> MailScanner discussion<br><b>Subject:</b> Re: Reject messages from outside my domain with FROM HEADER from inside (forgery)<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>as far as I know spf only avoid forgery in envelop sender address, not in FROM that is displayed to the user.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>2013/7/25 Kevin Miller <<a href="mailto:Kevin_Miller@ci.juneau.ak.us" target="_blank">Kevin_Miller@ci.juneau.ak.us</a>><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Courier New";color:#1F497D'>Implement SPF records in your DNS.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Courier New";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;color:#1F497D'> ...Kevin<br>--<br>Kevin Miller<br>Network/email Administrator, CBJ MIS Dept.<br>155 South Seward Street<br>Juneau, Alaska 99801<br>Phone: (907) 586-0242, Fax: (907) 586-4500<br>Registered Linux User No: 307357</span><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a> [mailto:<a href="mailto:mailscanner-bounces@lists.mailscanner.info" target="_blank">mailscanner-bounces@lists.mailscanner.info</a>] <b>On Behalf Of </b>Thiago Bemerguy<br><b>Sent:</b> Thursday, July 25, 2013 6:50 AM<br><b>To:</b> <a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br><b>Subject:</b> Reject messages from outside my domain with FROM HEADER from inside (forgery)</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hello,<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I have an Exchange 2010 server with MailScanner for filtering external messages. The users are receiving phishing messages from outside my network with FROM header forged with email addresses from my domain. Is there any way to avoid that messages from outside come with certain email addresses, like filtering email and ip address or MTA hostname?<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Following the header of the phishing message<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Received: from ???.com (????) by ???<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> (????) with ????<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Received-SPF: none (<a href="http://beetobee.it" target="_blank">beetobee.it</a>: No applicable sender policy available) receiver=????.com; identity=mailfrom; envelope-from="<a href="mailto:www-data@beetobee.it" target="_blank">www-data@beetobee.it</a>"; helo=<a href="http://mail.beetobee.it" target="_blank">mail.beetobee.it</a>; client-ip=???<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-Greylist: delayed 1335 seconds by postgrey-1.32 at ????; <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Received: from <a href="http://mail.beetobee.it" target="_blank">mail.beetobee.it</a> (<a href="http://mail.blucamera.it" target="_blank">mail.blucamera.it</a> [82.85.28.154]) by<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>???.com (Postfix) with ESMTP id BE94320722 for<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <<a href="mailto:address1@internal.com" target="_blank">address1@internal.com</a>>; <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Received: by <a href="http://mail.beetobee.it" target="_blank">mail.beetobee.it</a> (Postfix, from userid 33) id 6D9D2291ADE; <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>To: <<a href="mailto:address1@internal.com" target="_blank">address1@internal.com</a>><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Subject: .....<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>MIME-Version: 1.0<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Content-Type: text/html; charset="iso-8859-1"<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-Mailer: Microsoft Office Outlook, Build 17.551210<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='background:red'>From: <<a href="mailto:address1@internal.com" target="_blank">address1@internal.com</a>> (forged)</span></b><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Message-ID: <????@<a href="http://mail.beetobee.it" target="_blank">mail.beetobee.it</a>><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Date: <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-TCE-MailScanner-ID: BE94320722.89A9A<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-TCE-MailScanner: Found to be clean<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-TCE-MailScanner-SpamScore: sss<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-TCE-MailScanner-From: <a href="mailto:www-data@beetobee.it" target="_blank">www-data@beetobee.it</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-Spam-Status: No<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Return-Path: <a href="mailto:www-data@beetobee.it" target="_blank">www-data@beetobee.it</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-MS-Exchange-Organization-AuthSource: <a href="http://Maia.tce.pa" target="_blank">Maia.tce.pa</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-MS-Exchange-Organization-AuthAs: Anonymous<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>We have SPF configured but I think it only protects envelope sender address.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks in advance,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-- <br>Thiago Bemerguy<br><a href="mailto:thiagobemerguy@gmail.com" target="_blank">thiagobemerguy@gmail.com</a> <o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>--<br>MailScanner mailing list<br><a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a><br><a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br><br>Before posting, read <a href="http://wiki.mailscanner.info/posting" target="_blank">http://wiki.mailscanner.info/posting</a><br><br>Support MailScanner development - buy the book off the website!<o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <br>Thiago Bemerguy<br><a href="mailto:thiagobemerguy@gmail.com" target="_blank">thiagobemerguy@gmail.com</a> <o:p></o:p></p></div></div></body></html>