Some clever spoofing

General eFa discussion
Post Reply
snit_gary
Posts: 9
Joined: 06 Oct 2017 09:55

Some clever spoofing

Post by snit_gary »

Hi EFA forums,
I'm having an issue with the filter allowing through some spoof emails. I'm not really sure what's going on but hopefully someone here will.
Basically a user (user1@company.com) is receiving emails from user2@company.com which look absolute legit. No weird reply to address, even has a basic signature (similar to phone but not the real one). Not subject to one sender, it's been a few within the company.

All emails have a simple message - pay this invoice. All come with a word doc attachment which look dodgy.

EFA shows the emails coming from different IPs, relayed via multiple other ones.

The from email will show as User2 <user2@company.com> <randomemail@randomemail.com>
The spam score always comes under 1 so they are never flagged and the document isn't a virus, it just has a bad link in them.

I have added the sender access and restrictions from this thread - viewtopic.php?t=1237
Which works if I telnet and try to send as the company.com

Can anyone help. Happy to provide any more info if needed.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Some clever spoofing

Post by shawniverson »

Are you sure that's originating from the outside?
snit_gary
Posts: 9
Joined: 06 Oct 2017 09:55

Re: Some clever spoofing

Post by snit_gary »

Absolutely. Internal emails do not flow through the EFA and the IPs received and relayed through are from other countries.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Some clever spoofing

Post by shawniverson »

I would need to see a sanitized message header and scan report.
snit_gary
Posts: 9
Joined: 06 Oct 2017 09:55

Re: Some clever spoofing

Post by snit_gary »

Is this ok?
Attachments
Header1.png
Header1.png (43.17 KiB) Viewed 6053 times
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Some clever spoofing

Post by shawniverson »

So, I'm assuming that 'ifoodpacking.com.mx' is not you, so the sender is technically not lying about being you, in the sense that the envelope from is ''ifoodpacking.com.mx' so sender access restrictions are bypassed.

What is tripping up postfix and mailscanner, as you point out, is the deliberately malformed From: header address.
I'm guessing the user sees the first part in their mailbox. Clever indeed.

There's one way off the top of my head you can deal with this...a From should not have two consecutive '<>'s

/etc/postfix/header_checks

Code: Select all

# Block malformed header From:
/^From:.*<.*>.*<.*>$/ REJECT

Code: Select all

sudo postmap /etc/postfix/header_checks
service postfix reload
snit_gary
Posts: 9
Joined: 06 Oct 2017 09:55

Re: Some clever spoofing

Post by snit_gary »

Great, just the rule I'm looking for. Thanks for your help, I'll return if it re-occurs.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Some clever spoofing

Post by shawniverson »

User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Some clever spoofing

Post by BruceLeeRoy »

I too have been seeing this, thanks for the help. :clap:
Post Reply