Spam from own domain (spoofed) - ORF Forums

Spam from own domain (spoofed) RSS Back to forum

1

We have an SPF record published, as well as Exchange set up to disallow unathenticated emails coming from our own domain. However, this appears to get through because of the X-Sender header.

Is there an easy way to block this using ORF?

From: "Example"
X-Sender:
Reply-To: "Example"

by RJohnson 2 years ago
2

Looks like some of the header info got stripped out:

From: "Example"
X-Sender:
Reply-To: "Example"

by RJohnson 2 years ago
3

@RJohnson: Hello RJohnson,

ORF can certainly block forged emails, however, I do not have enough information just yet to suggest an appropriate solution to this particular incident. Could you tell us more about this email?:

- Did the spammer spoof the 'envelope sender address' (i.e. the email address recorded in the 'Sender' column of the ORF logs - and in the Exchange protocol logs)?
- Did the spammer spoof the 'From:' address in the message header?
- Did the spammer spoof the 'X-Sender:' address in the message header?
- Is 'belwilliamsinc.org' the correct name of your domain? - If so, I regret to inform you that you do not actually have a published SPF policy.
- Is your domain added to the 'Sender Whitelist' test of ORF (Administration Tool > Whitelists > Sender Whitelist)?

Alternatively, you may send us (to ) the spam email saved in an .eml or .msg format, along with the ORF configuration file (orfent.ini) and the ORF log from the day of the incident (e.g. orfee-2017-06-01.log) for analysis. The requested ORF files can be found in the ORF program directory (default: \Program Files (x86)\ORF Fusion).

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

4

@Daniel Novak (Vamsoft): You make mention that ORF can block forged emails, specifically with x-sender in mind, how you would make that happen? This is the most common form of spear phishing that we see.

Thanks!

by felipe.garcia 2 years ago
(in reply to this post)

5

@Daniel Novak (Vamsoft): - Did the spammer spoof the 'envelope sender address' (i.e. the email address recorded in the 'Sender' column of the ORF logs - and in the Exchange protocol logs)?

The envelope sender and X-Sender are the "" address

- Did the spammer spoof the 'From:' address in the message header?

Yes, the From address is what was spoofed. It was from an email address from our own domain. We have the "ms-exch-smtp-accept-authoritative-domain-sender" permission removed from "NT Authority\Anonymous Logon" which is why it is strange that this was not blocked by Exchange, if not ORF. In addition, we have SPF, DKIM, and DMARC configured for our domain.

- Did the spammer spoof the 'X-Sender:' address in the message header?

I am not sure, as the X-Sender is not a domain that I control.

- Is 'belwilliamsinc.org' the correct name of your domain? - If so, I regret to inform you that you do not actually have a published SPF policy.

No, that is what was used in the X-Sender header, and is not our domain.

- Is your domain added to the 'Sender Whitelist' test of ORF (Administration Tool > Whitelists > Sender Whitelist)?

No, we have no items in the 'Sender Whitelist'

Any help in figuring this out is appreciated.

by RJohnson 2 years ago
(in reply to this post)

6

Thank you for the additional details.

Please note that ORF does not validate the "author" (i.e. the address specified in the "From:" header field - which mail clients show) of the email, nor does it blacklist the email if the domain in the "From:" field is identical to your own domain - by default. You will need to add a regex pattern to the Keyword Blacklist that matches your own domain name in the "From:" header field, if you want to block this kind of spam. For step-by-step instructions on how to do this, please refer to our related article at https://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#mime-sender-spoofing

For the actual sender validation, email filters, including ORF, use the "envelope" sender address which is submitted in the MAIL FROM command during the SMTP transmission (for example: https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example). This is the address that you find in the protocol logs of Excange and in the ORF logs ("Sender" column) as well. It should not be confused with the address in "From:" header.

Why the different address types, you might ask? It is quite simple, sometimes you just have to hide real sender of the email. A common reason for this is when you want to display a user-friendly "From" address in the recipient's mail client (e.g ), and hide the real STMP envelope sender address (e.g. ). You can learn more about this topic at https://security.stackexchange.com/questions/30732/why-is-it-even-possible-to-forge-sender-header-in-e-mail

by Daniel Novak (Vamsoft) 2 years ago
7

@felipe.garcia: Hello Felipe,

Dealing with spammers who spoof your domain in the envelope sender address is quite simple. Just make you have a valid SPF policy published for your domain(s) and keep the SPF Test of ORF enabled. In case your SPF record ends with a "SoftFail" (~all) qualifier (See: http://www.openspf.org/SPF_Record_Syntax), you should either change it to "Fail" (-all) or allow ORF to blacklist emails on SPF "softfail" as well (Blacklists > SPF Test > Settings > Blacklist email on SPF "softfail"). Otherwise, the spoofed emails will still get through.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

8

@Daniel Novak (Vamsoft): SPF is enabled on our domain, and the SPF filter is enabled in ORF. It appears that it does not verify SPF against the From address, only "Envelope Sender".

by RJohnson 2 years ago
(in reply to this post)

9

@Daniel Novak (Vamsoft): Please note that ORF does not validate the "author" (i.e. the address specified in the "From:" header field - which mail clients show) of the email, nor does it blacklist the email if the domain in the "From:" field is identical to your own domain - by default. You will need to add a regex pattern to the Keyword Blacklist that matches your own domain name in the "From:" header field, if you want to block this kind of spam. For step-by-step instructions on how to do this, please refer to our related article at https://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#mime-sender-spoofing

Would this not blacklist all email that has our domain in the From field? That would block all legitimate internal email

by RJohnson 2 years ago
(in reply to this post)

10

@RJohnson: "SPF is enabled on our domain, and the SPF filter is enabled in ORF. It appears that it does not verify SPF against the From address, only "Envelope Sender"."

The SPF Test checks the sender IP against the the domain that it extracts from the envelope sender address, it does not care about the email address specified in "From:" header field. This is by design - in fact, most SPF checkers work like this, see: http://www.openspf.org/FAQ/Envelope_from_scope

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

11

@RJohnson: "Would this not blacklist all email that has our domain in the From field? That would block all legitimate internal email"

No, it would not, as ORF does not filter internal emails. Emails coming from the local host address (127.0.0.1) and Class A (10.0.0.0 - 10.255.255.255), Class B (172.16.0.0 - 172.31.255.255) and C (192.168.0.0 - 192.168.255.255) private intranet address ranges are excluded from filtering by default - this is hard-coded into ORF and cannot be changed.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

12

@Daniel Novak (Vamsoft): What about non private ranges? We have authenticated users who can be in the field on a company device that would be sending emails using their smart phones or laptops.

I'm guessing, from looking at that link, that this would be fine as those are Exchange RPC clients and ORF is only filtering incoming SMTP.

by RJohnson 2 years ago
(in reply to this post)

13

@RJohnson: Yes, that is correct. ORF is designed specifically against spam, which is expected to arrive from the outside of the organization, via SMTP only. As for users relaying from external hosts, authenticated SMTP sessions are excluded from filtering by default - just make sure that the Authentication Whitelist is enabled and assigned to both filtering points (Before Arrival & On Arrival) on the Filtering > Tests page of the ORF Administration Tool.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2