Forum Discussion

a b's avatar
a b
Copper Contributor
Sep 18, 2018

Spoofed email being given SCL -1 due to user's safe senders list

I have an issue where users are getting email where there is a spoofed email address in the header part of an email. e.g:   envelope from: <bad@bad.com>  from: Good Guy <goodguy@goodco.com> <bad@b...
exchange
office 365
Adam Ochs's avatar
Adam Ochs
Iron Contributor
Sep 18, 2018

Hey a b,

 

It is surprising to me that the email would be able to pass an SPF check, as you say it is. SPF should be looking for the sending server. I would guess this is being sent from somewhere like Microsoft?

1. I would report the behavior and bypass to Microsoft, especially if they are the sending server.

 

2. I would be interested to see more details from the actual header. I have never had issues with the email being spoofed and that address getting through because of filters. Normally the actual filtering is done on the internal headers of the email, and good about catching stuff like spoofing as a result. As you said, yes O365 should be checking for the actual sender, not a spoofed address and in my experience that is what I have had happen.

 

Can you perhaps share a bit more information about the header (obviously taking into account removing any personal information)? Without that it is hard to speculate what could be going on.

 

Adam

  • a b's avatar
    a b
    Copper Contributor
    Sep 18, 2018

    Hi Adam,

     

    Thanks for the reply.

     

    No they're not being sent from Microsoft. A header section from an example one below:

     

    Authentication-Results: spf=pass (sender IP is 162.241.190.238)
    smtp.mailfrom=calzadoroy.com; mydomain.co.uk; dkim=pass (signature was
    verified) header.d=calzadoroy.com; mydomain.co.uk; dmarc=none action=none
    header.from=goodguys.co.uk;

    Received-SPF: Pass (protection.outlook.com: domain of calzadoroy.com
    designates 162.241.190.238 as permitted sender)

     

    Received: from [201.141.93.6] (port=33313 helo=10.12.1.108)
    by cal.calzadoroy.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    (Exim 4.91)
    (envelope-from <irene.alonso@calzadoroy.com>)
    id 1g284j-0005If-DK
    for myuser@mydomain.co.uk; Mon, 17 Sep 2018 22:37:25 -0600
    Date: Mon, 17 Sep 2018 23:37:13 -0600
    From: Good Guy <goodguy@goodguys.co.uk> <irene.alonso@calzadoroy.com>

    --------------------------------------------------------------------------

     

    So in this example, calzadoroy.com is a domain we have never heard of and don't do business with. 

    The IP address 201.141.93.6 is from Uruguay which is one of the countries listed in our spam filter to filter emails from.

    goodguy@goodguys.co.uk is someone we do business with and this email address is listed in the recipient's safe senders list - so this is targeted spam. 

    and Irene Alonso's name and email doesn't appear anywhere on the email the end user receives in Outlook 2016.

     

     

    For the emails we receive like this where the recipient doesn't have the spoofed email address in their safe senders list the email will be correctly quarantined, however we're receiving a lot of ones where they have been added.

     

    Thanks,

    Rich

     

    • Adam Ochs's avatar
      Adam Ochs
      Iron Contributor
      Sep 18, 2018

      Thanks for the details, that helps to paint a more complete picture.

       

      So it looks like the IP that is being sent to you is 162.241.190.238, which is calzadoroy.com. (which appears to be in Utah in the US 0 https://whatismyipaddress.com/ip/162.241.190.238).

       

      calzadoroy.com received the message from 201.141.93.6 (Uruguay as you have said).

       

      So to me, calzadoroy is likely having issues, the Uruguay ip is sending mail to them, which is then being sent on to you. I would want to see the full hops (not just one of them) to confirm this, but from what i can tell from what you have provided.

      It looks as if an account is setup with the user you know, with the intention of spamming out, but the SPF pass has nothing to do with that account. I would perhaps in this case get the IP associated with the domain you know, and whitelist the IP rather than the user, that would stop this problem as it is not coming from the company you work with's mail system, just a user. Also blacklisting 162.241.190.238 if you do not buisness with them should help too.

       

      By just having goodguy@goodguys.co.uk whitelisted and not the sending IP, if that is the sending account (which it looks like someone setup a mail server to do that) then you are not catching the spoof.

       

      Hope this helps!

      Adam

      • a b's avatar
        a b
        Copper Contributor
        Sep 19, 2018

        Hi,

         

        Thanks again, yes the SPF pass is nothing to do with the spoofed account but I think it is helping these types of email get through the spam filter when they don't have an entry on the safe senders list.

         

        I could blacklist that IP but it's just one of many we get emails from so I can't rely on that.

         

        The main problem is that the emails get an SCL of -1 when a spoofed address is in the safe senders list of the recipient. Which I find odd as I wouldn't have thought it should even be checking for the spoofed address.

         

        The way I see it at the moment, my options are:

         

        -Find a way to quarantine emails with multiple email addresses in the From header. 

        or

        -Find a way to disable safe senders lists so these emails don't get whitelisted and get a free ride through the spam filter.

         

         

        Thanks for the help Adam, i'm a bit surprised I can't find others reporting the same problem - I must have screwed something up somewhere I guess!

         

        Cheers,

        Rich

Resources