spam filtering service : expecting too much ?

Forums › IT Pro and developers › spam filtering service : expecting too much ?

1101

3141 posts

Uber Geek
+1 received by user: 1143

#277351 9-Oct-2020 14:13

Hi . A general question about spam filtering services

spoofed emails : is it too much too expect spoofed emails to be blocked by profession spam blocking systems/services ?
Specifically emails spoofed to look like they came from within the companies domain

eg
email spoofed to look like it came from within the company
From in outlook show as from (say) theboss@company.co.nz
Headers : from shows 'theboss@company.co.nz' , but ACTUAL sender in the headers shows (say) mrhacker@clickmeplease.com

Ignoring spf filtering ....
can/should a spam filter detect spoofed emails pretending to be from the domain(exchange server IP) but came from somewhere else
Not expecting every spoofed email to be blocked, I would have expected the domains email adress to be protected from spoofing when this shows in the headers

Is there more to it than what Im thinking ?

Andib

1395 posts

Uber Geek
+1 received by user: 974

ID Verified

Trusted

#2581929 9-Oct-2020 14:25

Yes and no, There are some legitimate reasons to spoof an email (marketing departments seem to love to using a 3rd party sender to bulk email but insist it comes from the corporate domain and not a sub domain). This is why DKIM / SPF / DMARC are important to prove what is genuine and what isn't.

I know filtering services like Office365 ATP & Mimecast both offer anti-spoofing protections that work pretty well in the situations you've described however there will always be some that fall through the cracks.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

K8Toledo

1018 posts

Uber Geek
+1 received by user: 311

#2581963 9-Oct-2020 15:34

Who is your email provider?

BlakJak

1329 posts

Uber Geek
+1 received by user: 735

Trusted

#2582144 9-Oct-2020 22:19

1101:
Hi . A general question about spam filtering services

spoofed emails : is it too much too expect spoofed emails to be blocked by profession spam blocking systems/services ?
Specifically emails spoofed to look like they came from within the companies domain

eg
email spoofed to look like it came from within the company
From in outlook show as from (say) theboss@company.co.nz
Headers : from shows 'theboss@company.co.nz' , but ACTUAL sender in the headers shows (say) mrhacker@clickmeplease.com

Ignoring spf filtering ....
can/should a spam filter detect spoofed emails pretending to be from the domain(exchange server IP) but came from somewhere else
Not expecting every spoofed email to be blocked, I would have expected the domains email adress to be protected from spoofing when this shows in the headers

Is there more to it than what Im thinking ?

Remember that SPF is only enforced on the envelope, that is, the details exchanged during the SMTP transaction. The details that appear in the headers can (and are) be engineered to differ from the envelope.

The Envelope consists of the input for the MAIL FROM: SMTP command, which is usually the sender email address, and the RCPT TO: instruction, which is the list of all the relevant recipients for that server.

This is how BCC works - RCPT TO specifies the recipient, but the recipient's email address otherwise appears nowhere in the message (ala the headers), except where added by the recipients own mail platform.

So SPF alone - assuming the domain being forged actually publishes an SPF record that also includes a hardfail instruction - won't protect you if they engineer the envelope differention during transmission.

Agree with the assertion that DKIM and DMARC are worthy additions that'll help.

But at the end of the day spammers find that even where the sender address isn't forged, people will fall for things, so this is only incremental in value.

One tip: Outlook will show the sender email address, in addition to the name, if the email comes from outside.

No signature to see here, move along...