Hi Adam,

Thanks for the reply.

No they're not being sent from Microsoft. A header section from an example one below:

Authentication-Results: spf=pass (sender IP is 162.241.190.238)
smtp.mailfrom=calzadoroy.com; mydomain.co.uk; dkim=pass (signature was
verified) header.d=calzadoroy.com; mydomain.co.uk; dmarc=none action=none
header.from=goodguys.co.uk;

Received-SPF: Pass (protection.outlook.com: domain of calzadoroy.com
designates 162.241.190.238 as permitted sender)

Received: from [201.141.93.6] (port=33313 helo=10.12.1.108)
by cal.calzadoroy.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <irene.alonso@calzadoroy.com>)
id 1g284j-0005If-DK
for myuser@mydomain.co.uk; Mon, 17 Sep 2018 22:37:25 -0600
Date: Mon, 17 Sep 2018 23:37:13 -0600
From: Good Guy <goodguy@goodguys.co.uk> <irene.alonso@calzadoroy.com>

--------------------------------------------------------------------------

So in this example, calzadoroy.com is a domain we have never heard of and don't do business with. 

The IP address 201.141.93.6 is from Uruguay which is one of the countries listed in our spam filter to filter emails from.

goodguy@goodguys.co.uk is someone we do business with and this email address is listed in the recipient's safe senders list - so this is targeted spam. 

and Irene Alonso's name and email doesn't appear anywhere on the email the end user receives in Outlook 2016.

For the emails we receive like this where the recipient doesn't have the spoofed email address in their safe senders list the email will be correctly quarantined, however we're receiving a lot of ones where they have been added.

Thanks,

Rich

Thanks for the details, that helps to paint a more complete picture.

So it looks like the IP that is being sent to you is 162.241.190.238, which is calzadoroy.com. (which appears to be in Utah in the US 0 https://whatismyipaddress.com/ip/162.241.190.238).

calzadoroy.com received the message from 201.141.93.6 (Uruguay as you have said).

So to me, calzadoroy is likely having issues, the Uruguay ip is sending mail to them, which is then being sent on to you. I would want to see the full hops (not just one of them) to confirm this, but from what i can tell from what you have provided.

It looks as if an account is setup with the user you know, with the intention of spamming out, but the SPF pass has nothing to do with that account. I would perhaps in this case get the IP associated with the domain you know, and whitelist the IP rather than the user, that would stop this problem as it is not coming from the company you work with's mail system, just a user. Also blacklisting 162.241.190.238 if you do not buisness with them should help too.

By just having goodguy@goodguys.co.uk whitelisted and not the sending IP, if that is the sending account (which it looks like someone setup a mail server to do that) then you are not catching the spoof.

Hope this helps!

Adam

Hi,

Thanks again, yes the SPF pass is nothing to do with the spoofed account but I think it is helping these types of email get through the spam filter when they don't have an entry on the safe senders list.

I could blacklist that IP but it's just one of many we get emails from so I can't rely on that.

The main problem is that the emails get an SCL of -1 when a spoofed address is in the safe senders list of the recipient. Which I find odd as I wouldn't have thought it should even be checking for the spoofed address.

The way I see it at the moment, my options are:

-Find a way to quarantine emails with multiple email addresses in the From header. 

or

-Find a way to disable safe senders lists so these emails don't get whitelisted and get a free ride through the spam filter.

Thanks for the help Adam, i'm a bit surprised I can't find others reporting the same problem - I must have screwed something up somewhere I guess!

Cheers,

Rich

Hey Rich,

Good chance exchange just decided it didnt want to play nice too :). That seems to be its fallback plan.

This is one of those that I think a premier case would not be bad on (just a low priority) as they may be able to find something out for you, but it just may not be the quickest resolution.

Hope you have a good day!

Adam

Well we have the exact same issue and are trying to figure out if the checkbox "also trust e-mail from contacts" in the spamfilters allow sender setting is generating this behaviour. What we´ve seen so far is that if you have an e-mail adress in the safe sender list, that will bypass policys even if the mail is clearly a spoofed one (the header includes that the mail didnt pass SPF). It simply bypasses at least the default policys and looks like a perfectly normal e-mail at the recieving end. We use the hardfail setting that should stop this mail. If that is the case everyone with that check has no protection against thoose Spoofed VD-mails coming from someone in youre own organisation since many in the organisation often is in youre contacts. That check seems to be on by default at least on our clients. Has an open case with Microsoft on how to turn of that settings in the entire environment. It is not a good behavior if everyone in the organisation passes on clearly spoofed mails because of the settings in allowed sender settings. Another bad behevior is that every user in the organisation can rightclick for exampel the CEO and add him to the safesenderlist. Thats a perfectly normal behavior if the CEOs mail ends up as trash one time. After that anyone can spoof you with the CEOs Adress?!?!

I am refering to this.

Safe senders and recipients

Safe senders are people and domains you always want to receive email messages from. Safe recipients are recipients that you don't want to block, usually groups that you’re a member of. Messages received from any email address or domain in your safe senders and recipients list are never sent to your Junk Email folder.

IMPORTANT: The server that hosts your mailbox may have junk email filtering settings that block messages before they reach your mailbox.