efa-project.org

Hi EFA forums,
I'm having an issue with the filter allowing through some spoof emails. I'm not really sure what's going on but hopefully someone here will.
Basically a user (user1@company.com) is receiving emails from user2@company.com which look absolute legit. No weird reply to address, even has a basic signature (similar to phone but not the real one). Not subject to one sender, it's been a few within the company.

All emails have a simple message - pay this invoice. All come with a word doc attachment which look dodgy.

EFA shows the emails coming from different IPs, relayed via multiple other ones.

The from email will show as User2 <user2@company.com> <randomemail@randomemail.com>
The spam score always comes under 1 so they are never flagged and the document isn't a virus, it just has a bad link in them.

I have added the sender access and restrictions from this thread - viewtopic.php?t=1237
Which works if I telnet and try to send as the company.com

Can anyone help. Happy to provide any more info if needed.

Are you sure that's originating from the outside?

Absolutely. Internal emails do not flow through the EFA and the IPs received and relayed through are from other countries.

I would need to see a sanitized message header and scan report.

Is this ok?

So, I'm assuming that 'ifoodpacking.com.mx' is not you, so the sender is technically not lying about being you, in the sense that the envelope from is ''ifoodpacking.com.mx' so sender access restrictions are bypassed.

What is tripping up postfix and mailscanner, as you point out, is the deliberately malformed From: header address.

From: some user <some.user@example.com> <blanca.espinoza@ifoodpacking.com.mx>

I'm guessing the user sees the first part in their mailbox. Clever indeed.

There's one way off the top of my head you can deal with this...a From should not have two consecutive '<>'s

/etc/postfix/header_checks

Great, just the rule I'm looking for. Thanks for your help, I'll return if it re-occurs.

I too have been seeing this, thanks for the help.