Block/tag emails where the HELO domain does not match the author domain? RSS Back to forum
@aeleus:
Hello aeleus,
Could you confirm if the email in question passed the DMARC Test with a "pass" result? Such a result would only be possible if the sender used PayPal’s legitimate mail server or if the email originated from a compromised PayPal account. To assist with our investigation, please send us the following to :
1. A copy of the original email saved in either .eml or .msg format. (Please do not forward the email)
2. The corresponding ORF text log file from the day of the incident (default path: C:\ProgramData\ORF Fusion\TextLogs).
I am looking forward to hearing from you.
@Daniel Novak (Vamsoft):
Thank you for the response.
I tried to email you the .msg file and the log, but (ironically) it was refused:
Generating server: a8-22.smtp-out.amazonses.com
Remote Server returned '554 5.7.1 < #5.7.1 smtp; 550 5.7.1 Message rejected. This server does not accept mails from your IP address (54.240.8.22).>'
As you can see, I use Amazon SES.
Let me know if there is another way I can get the files to you.
@aeleus:
Yes, unfortunately, we have specific rules in place for Amazon SES. However, we have now excluded your emails from this check. Please resend us your email along with the attachments, and we we will review them.
Thank you.
I understand the HELO domain often does not match the author domain in legitimate emails.
That said, I have been getting emails lately that pass SPF, DKIM, and DMARC checks but are obviously spam.
For example:
HELO: EUR05-VI1-obe.outbound.protection.outlook.com
Author:
All emails from paypal.com have a HELO like "mx2.phx.paypal.com".
If not blacklist, I would like to tag these emails for extra scrutiny. How can I do that?