Forum Discussion
Spoofed email being given SCL -1 due to user's safe senders list
Hey a b,
It is surprising to me that the email would be able to pass an SPF check, as you say it is. SPF should be looking for the sending server. I would guess this is being sent from somewhere like Microsoft?
1. I would report the behavior and bypass to Microsoft, especially if they are the sending server.
2. I would be interested to see more details from the actual header. I have never had issues with the email being spoofed and that address getting through because of filters. Normally the actual filtering is done on the internal headers of the email, and good about catching stuff like spoofing as a result. As you said, yes O365 should be checking for the actual sender, not a spoofed address and in my experience that is what I have had happen.
Can you perhaps share a bit more information about the header (obviously taking into account removing any personal information)? Without that it is hard to speculate what could be going on.
Adam
Hi Adam,
Thanks for the reply.
No they're not being sent from Microsoft. A header section from an example one below:
Authentication-Results: spf=pass (sender IP is 162.241.190.238)
smtp.mailfrom=calzadoroy.com; mydomain.co.uk; dkim=pass (signature was
verified) header.d=calzadoroy.com; mydomain.co.uk; dmarc=none action=none
header.from=goodguys.co.uk;
Received-SPF: Pass (protection.outlook.com: domain of calzadoroy.com
designates 162.241.190.238 as permitted sender)
Received: from [201.141.93.6] (port=33313 helo=10.12.1.108)
by cal.calzadoroy.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <irene.alonso@calzadoroy.com>)
id 1g284j-0005If-DK
for myuser@mydomain.co.uk; Mon, 17 Sep 2018 22:37:25 -0600
Date: Mon, 17 Sep 2018 23:37:13 -0600
From: Good Guy <goodguy@goodguys.co.uk> <irene.alonso@calzadoroy.com>
--------------------------------------------------------------------------
So in this example, calzadoroy.com is a domain we have never heard of and don't do business with.
The IP address 201.141.93.6 is from Uruguay which is one of the countries listed in our spam filter to filter emails from.
goodguy@goodguys.co.uk is someone we do business with and this email address is listed in the recipient's safe senders list - so this is targeted spam.
and Irene Alonso's name and email doesn't appear anywhere on the email the end user receives in Outlook 2016.
For the emails we receive like this where the recipient doesn't have the spoofed email address in their safe senders list the email will be correctly quarantined, however we're receiving a lot of ones where they have been added.
Thanks,
Rich
Thanks for the details, that helps to paint a more complete picture.
So it looks like the IP that is being sent to you is 162.241.190.238, which is calzadoroy.com. (which appears to be in Utah in the US 0 https://whatismyipaddress.com/ip/162.241.190.238).
calzadoroy.com received the message from 201.141.93.6 (Uruguay as you have said).
So to me, calzadoroy is likely having issues, the Uruguay ip is sending mail to them, which is then being sent on to you. I would want to see the full hops (not just one of them) to confirm this, but from what i can tell from what you have provided.
It looks as if an account is setup with the user you know, with the intention of spamming out, but the SPF pass has nothing to do with that account. I would perhaps in this case get the IP associated with the domain you know, and whitelist the IP rather than the user, that would stop this problem as it is not coming from the company you work with's mail system, just a user. Also blacklisting 162.241.190.238 if you do not buisness with them should help too.By just having goodguy@goodguys.co.uk whitelisted and not the sending IP, if that is the sending account (which it looks like someone setup a mail server to do that) then you are not catching the spoof.
Hope this helps!
Adam
Hi,
Thanks again, yes the SPF pass is nothing to do with the spoofed account but I think it is helping these types of email get through the spam filter when they don't have an entry on the safe senders list.
I could blacklist that IP but it's just one of many we get emails from so I can't rely on that.
The main problem is that the emails get an SCL of -1 when a spoofed address is in the safe senders list of the recipient. Which I find odd as I wouldn't have thought it should even be checking for the spoofed address.
The way I see it at the moment, my options are:
-Find a way to quarantine emails with multiple email addresses in the From header.
or
-Find a way to disable safe senders lists so these emails don't get whitelisted and get a free ride through the spam filter.
Thanks for the help Adam, i'm a bit surprised I can't find others reporting the same problem - I must have screwed something up somewhere I guess!
Cheers,
Rich
Well we have the exact same issue and are trying to figure out if the checkbox "also trust e-mail from contacts" in the spamfilters allow sender setting is generating this behaviour. What we´ve seen so far is that if you have an e-mail adress in the safe sender list, that will bypass policys even if the mail is clearly a spoofed one (the header includes that the mail didnt pass SPF). It simply bypasses at least the default policys and looks like a perfectly normal e-mail at the recieving end. We use the hardfail setting that should stop this mail. If that is the case everyone with that check has no protection against thoose Spoofed VD-mails coming from someone in youre own organisation since many in the organisation often is in youre contacts. That check seems to be on by default at least on our clients. Has an open case with Microsoft on how to turn of that settings in the entire environment. It is not a good behavior if everyone in the organisation passes on clearly spoofed mails because of the settings in allowed sender settings. Another bad behevior is that every user in the organisation can rightclick for exampel the CEO and add him to the safesenderlist. Thats a perfectly normal behavior if the CEOs mail ends up as trash one time. After that anyone can spoof you with the CEOs Adress?!?!
