13
Validate "From:" Address to block Phishing, Malware, & Scams
Idea shared by kevind - 11/13/2017 at 8:18 AM
Proposed
Please enhance SmarterMail to block malicious (spoofed) emails that look like official invoices or shipping documents from name-brand senders (e.g. Staples.com). These messages trick users into opening the malware attachment.
 
Here's an example:
Return-Path: <>
Received: from vsmx009.vodafonemail.xion.oxcs.net (vsmx009.vodafonemail.xion.oxcs.net [153.92.174.87]) by mail.SM15.net with SMTP
	(version=TLS\Tls12
	cipher=Aes256 bits=256);
   Thu, 12 Oct 2017 07:58:48 -0400
Received: from vsmx001.vodafonemail.xion.oxcs.net (unknown [192.168.75.191])
	by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTP id CAC6BC0FB1
	for <user@SM15.net>; Thu, 12 Oct 2017 11:58:34 +0000 (UTC)
Received: from 10.0.0.29 (unknown [121.34.195.182])
	by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTPA id 68BEC300895
	for <user@SM15.net>; Thu, 12 Oct 2017 11:58:29 +0000 (UTC)
Authentication-Results: mta-5-out.mta.xion.oxcs.net; dkim=permerror (bad message/signature format)
Date: Thu, 12 Oct 2017 19:58:33 +0800
From: Accounting@Staples.com <>
To: user@SM15.net
Message-ID: <43791914225.20171012115833@SM15.net>
Subject: Pay Invoice (TCO718694741 attached)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_004F_415E2326.50087FA7"
X-VADE-STATUS: LEGIT
 
Suggest verifying the "From" address with SPF, PTR, Return-Path, etc. to either block the message or alert the user that it is fake.
 
Also, saw this in the v16 release notes from Nov. 9th and thought it might help if added to v15 also.
Fixed: SPF / DMARC do not run when there is no Return-Path.
Thanks!
Kevin

4 Replies

Reply to Thread
2
Saw this in the 16.3.6543 release notes from 11/30/17:
  • Changed: SMTP and Delivery processes now utilize the From address in email headers if it is provided; provides better spoofing protection.
Just wonder if it addresses the issue described in this post. Maybe someone could provide a bit more explanation of how this change works?
 
Also, a polite request to add it to v15 also. Thanks!
2
So .. I had situation today that From header was set to local domain and message was sent from outside and it started me to wonder why this message was not bounced and then I've found this topic.

I've checked v15 release notes and I don't see any:

  • Changed: SMTP and Delivery processes now utilize the From address in email headers if it is provided; provides better spoofing protection.
or anything similar in v15 release notes and this was one year ago. So this was in time where v15 was still fully supported/fixed/being updated etc you name it. Can someone from SmarterTools tell me whyt his has been not implemented in v15? Or maybe it is missing in release notes?
2
Webio, thanks for refreshing this post!  It's almost a year old with 8 votes so I'm surprised ST never replied to it. Many off-the-wall requests with 1-2 votes get immediate replies.

Something as important as this -- anti-spoofing (which is core email functionality) -- should be addressed immediately. We would definitely like to see it fixed in v15 before it goes off life-support.
2
Make that 9 Votes!

Reply to Thread