cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

alot of users getting spam

GV IT
Brass Contributor

‎Apr 09 2019 02:36 AM - edited ‎Apr 09 2019 02:46 AM

‎Apr 09 2019 02:36 AM - edited ‎Apr 09 2019 02:46 AM

alot of users getting spam

a few of our users are getting spam emails that make it seems that the emails are from microsoft.

some are received from their own email address.

upon checking the header, we found this.

dmarc failed.

what else can we do to block such span emailspam2.jpg

 

Authentication-Results: spf=none (sender IP is 92.38.163.78)
smtp.mailfrom=noreply.barracudanetworks.com; goldxxxxxx.com.sg; dkim=none
(message not signed) header.d=none;golxxxx.com.sg; dmarc=fail
action=none header.from=golxxxxxxx.com.sg;compauth=fail reason=601
Received-SPF: None (protection.outlook.com: noreply.barracudanetworks.com does
not designate permitted sender hosts)
Received: from noreply.barracudanetworks.com (92.38.163.78) by
PU1APC01FT028.mail.protection.outlook.com (10.152.252.229) with Microsoft

 

Labels:
2,856 Views
0 Likes
2 Replies
Reply
2 Replies
Vasil Michev

‎Apr 09 2019 10:03 AM

‎Apr 09 2019 10:03 AM

Re: alot of users getting spam

Well, compauth=fail is a very strong signal, although I'm not sure what reason 601 exactly is. In any case, the message should have been marked as phish or spam. Read more here: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofing-protection

0 Likes
Reply
W12345678

‎Apr 09 2019 10:17 AM

‎Apr 09 2019 10:17 AM

RE: alot of users getting spam

I do it in a couple of steps. allow through if Authentication-Results header includes dkim=pass and \.d=microsoft.com Then Quarantine anything with (?i)microsoft in the header. You have to be specific and can't just look at spf or dkim=pass without looking at what it's passing.
0 Likes
Reply