Matt, here's a solution that will fix the issue for local domains:
If the From address (what the user sees in webmail or Outlook) is a local domain (i.e. on the SmarterMail server), then it must match the Return-Path. Otherwise, reject it or score it.
This would confirm that either:
- The sending email address was authenticated with a password.
- The sending IP address was whitelisted.
This would be a great start and would help stop the spear phishing. For example, if you got an email from Derek@SmarterTools giving you a couple extra weeks of paid vacation :) you should be 100% confident that it hasn't been spoofed. With SM15.7, you can't be sure.
After this, the next fix would be to block spoofing of non-local domains.