Validate "From:" Address to block Phishing, Malware, & Scams
Idea shared by kevind - November 13, 2017 at 8:18 AM
Proposed
Please enhance SmarterMail to block malicious (spoofed) emails that look like official invoices or shipping documents from name-brand senders (e.g. Staples.com). These messages trick users into opening the malware attachment.
 
Here's an example:
Return-Path: <>
Received: from vsmx009.vodafonemail.xion.oxcs.net (vsmx009.vodafonemail.xion.oxcs.net [153.92.174.87]) by mail.SM15.net with SMTP
	(version=TLS\Tls12
	cipher=Aes256 bits=256);
   Thu, 12 Oct 2017 07:58:48 -0400
Received: from vsmx001.vodafonemail.xion.oxcs.net (unknown [192.168.75.191])
	by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTP id CAC6BC0FB1
	for <user@SM15.net>; Thu, 12 Oct 2017 11:58:34 +0000 (UTC)
Received: from 10.0.0.29 (unknown [121.34.195.182])
	by mta-5-out.mta.xion.oxcs.net (Postfix) with ESMTPA id 68BEC300895
	for <user@SM15.net>; Thu, 12 Oct 2017 11:58:29 +0000 (UTC)
Authentication-Results: mta-5-out.mta.xion.oxcs.net; dkim=permerror (bad message/signature format)
Date: Thu, 12 Oct 2017 19:58:33 +0800
From: Accounting@Staples.com <>
To: user@SM15.net
Message-ID: <43791914225.20171012115833@SM15.net>
Subject: Pay Invoice (TCO718694741 attached)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_004F_415E2326.50087FA7"
X-VADE-STATUS: LEGIT
 
Suggest verifying the "From" address with SPF, PTR, Return-Path, etc. to either block the message or alert the user that it is fake.
 
Also, saw this in the v16 release notes from Nov. 9th and thought it might help if added to v15 also.
Fixed: SPF / DMARC do not run when there is no Return-Path.
Thanks!
Kevin

1 Reply

Reply to Thread
2
Saw this in the 16.3.6543 release notes from 11/30/17:
  • Changed: SMTP and Delivery processes now utilize the From address in email headers if it is provided; provides better spoofing protection.
Just wonder if it addresses the issue described in this post. Maybe someone could provide a bit more explanation of how this change works?
 
Also, a polite request to add it to v15 also. Thanks!

Reply to Thread