Spammers impersonation of users, Need help with filter rules to block
Question asked by Paul White - 1/2/2019 at 1:18 PM
Here is the problem I have. 
Spammers are impersonating my users with the following way.
They set the FROM field to my users's email
Then they sent the SENDER field to some other address ( probably a compromised one )

What I need is a filtering rule that says if the FROM field has a specific domain, and the SENDER field doesn't to reject the message.
Any idea how to do this with Regular Expressions?

8 Replies

Reply to Thread
kevind Replied
Paul, this problem has been around for years. Here's a thread from 2016 that you can review for ideas that might help:

Not sure why it's marked as resolved as I think SmarterMail still allows this bad behavior...
Scarab Replied

Programmatically I can figure out how to do what you are asking in PCRE REGEX but can't figure out how to do it in such a way that can be used by a Custom Rule in SmarterMail. The only method I can think of would require parsing one field using REGEX and then comparing the results it to another field using REGEX, which is beyond what a Custom Rule can do.

However, the best suggestion to avoid relaying spoofed messages would be to do the following:

  1. In Smartermail SETTINGS > PROTOCOLS set these settings:
        Allow Relay: Nobody
        Require Auth Match: "Domain" or "E-Mail Address" (usually Domain is good enough)
        Allow Relay for authenticated users: On
        Enable domains SMTP Auth settings for local deliveries: On
  2. Make sure all domains are set to "Require SMTP Authentication" (you can enforce this using Domain Propagation)
  3. Ensure that every domain hosted has SPF, DKIM, and DMARC policy configured in DNS.
  4. In Smartermail's SETTINGS > ANTISPAM > OPTIONS set "Enable DMARC policy compliance check" to On, and in SPAM CHECKS set the SPF spam check settings to "Scan From Header instead of Return-Path"
  5. Consider using Declude for SmarterMail from Mail's Best Friend. It takes some configuration to prevent overlap with SmarterMail's Antispam Checks, but it already includes a FROMNOMATCH scan that does what you are requesting (among other Antispam Checks and Content Filters).

These 5 things would A.) prevent non-authenticated users from using your SmarterMail server to send email period, regardless of what they use for the FROM: field. B.) only allow authenticated users from sending email where the FROM: matches the same domain or email address as their authenticated username, C..) either block, or score messages where the FROM: does not pass SPF, DKIM, & DMARC policies and does not match the RETURN-PATH: field and D.) prevent your domains from being abused by spammers as other Mail Servers will also quarantine or reject the messages (depending on your DMARC policy flags).
Paul White Replied
Thanks for the feedback guys, but I already had everything setup that way, only exception was the Enable domain's SMTP auth setting for Local deliveries, and Require Auth Match.

The problem is they will say the FROM is my user, but the SENDER field will be another email address, and the SPF / DKIM check is being done on the SENDER field instead of FROM.  Since the SENDER is valid for the sending IP, they get through, and yet to my users looks like it came from the FROM.  

I just need a way to say if a SENDER field is given, and it doesn't match the FROM field, and the FROM field is my users's domain, then to reject it.

echoDreamz Replied
I dont think you will be able to do that with regex
Linda Pagillo Replied
Hi Paul. We see this a lot as well. We put together some information for our customers about this and a other things we see frequently. I hope some of this can be useful to you and others in the community. I believe #2 is what you are experiencing, correct?

Different spammer techniques...

1.) [Valid User's name on your server (validuser@validdomain.com)]   To prevent spoofing from your own domain setup SPF / DMARC / DKIM on each of your domains using DNS.  

2.) Valid User's name on your server, but actually from spammer address (spammer@spammingdomain.com)]   To prevent spoofing from your another domain is difficult because as in this example how would software know that this is an invalid address?  Below are some solutions:

a. Add another layer of Security. Message Sniffer will catch most of these but the ones that get through are because Message Sniffer did not have the signature of the spoof. This is the problem with all signature based security products. By adding an additional layer the hope is the second security product will catch the unwanted email. If you were to do this our first suggestion would be CYREN antispam as it is signature less and works on traffic patterns, again it’s an extra layer which helps but the question becomes cost vs return. 

b. We can use Declude to block terms or similar.

c. User training. At the end of the line the user is the weak part of the chain. To fix this users need to be able to identify fishing attempts. Here are some companies that help with that:

Here is some additional info you can use or share with your customers: What’s the difference between Phishing and Spear Phishing?

  • Phishing emails are sent to the general public. They often impersonate a government agency, bank, the IRS, social networking site or store like Amazon.
  • Spear Phishing emails target specific individuals.  They are personalized with facts about you or your business to draw you in.  And they appear to come from a company or person you do business with.  It could come in the form of an email from your CEO.

A Phishing or Spear Phishing Email:

  • Is the one that you didn’t initiate.
  • May contain strange URLs and email addresses.
  • Often uses improper grammar and misspellings.
  • Typically contains attachments that you don’t recognize as legitimate.
  • Contains a link or email address that you don’t recognize.
  • May use language that is urgent or threatening.
  • Phishing and Spear Phishing are popular among cybercriminals because they usually succeed.

10 messages have a better than:

  • 90% chance of getting a click.
  • 8% chance of users clicking on an attachment.
  • 8% chance users will fill out a web form.
  • 18% chance that users will click a malicious link in an email.
  • Even high-level executives get spoofed and share usernames and passwords.

The average cost of a Phishing Scam is $1.6 million. It’s a top security concern for businesses today:

  • 1 in 3 companies are affected.
  • 30% of Phishing emails get opened.
  • Phishing is now the #1 vehicle for ransomware and other forms of malware.

Prevent being a victim of phishing or spear phishing. Here are 8 important things to remember:

1. Stay informed about phishing techniques. Different phishing scams are being sent out every day. Ongoing security awareness training should be a top priority for your organization. 

2. Think before you click a link. Don’t click on links from random emails or text messages. Hover your mouse arrow over a link to see who sent it. Most phishing emails begin with “Dear Customer” so watch out for these. Verify the website’s phone number before placing any calls. Remember, the secure website always starts with “https.”

3. Never divulge personal information requested by email, such as your name or credit card number. Typically, phishing emails will direct you to a web page to enter your financial or personal information. When in doubt, visit the main website of the company in the email, and give them a call.  And, never send sensitive information in an email to anyone. (A secure website always starts with “https”.)

4.  Consider installing an anti-phishing toolbar and security tools. Some Internet browsers offer free, anti-phishing toolbars that can run quick checks on the sites you visit. If a malicious site shows up, the toolbar will alert you. They will drastically reduce the chances of hackers and phishers infiltrating your computer or your network.

5. Never download files from suspicious emails or websites. Double check the website URL for legitimacy by typing the actual address into your Web browser. Check the site’s security certificate.  Also, beware of pop-ups as they may be phishing attempts. Your browser settings allow you to block pop-ups, where you can allow them on a case-by-case basis. If one gets through, don’t click on the “cancel” button as this is a ploy to lead you to a phishing site. Click the small “x” in the upper corner of the window, instead.

6. Get into the habit of changing your passwords often. You can also use a password manager like Dashlane or Last Pass that will automatically insert new, hard-to-crack passwords for you.

7. Regularly check your online bank and credit card accounts. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

8. Update your browsers to the latest version. Security patches are released in response to the vulnerabilities that phishers and hackers exploit. Don’t ignore messages to update your browsers, and download the updates as soon as they’re available.

Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
Paul White Replied
Thanks for the reply Linda,
Yes #2 is close to my problem.

With c# and .NET I know exactly how I would parse the RAW content to determine if this was spam.  Is there anyway to integrate outside scripts with smartermail for spam detection?
Linda Pagillo Replied
You're welcome Paul. I'm not sure if scripts can be integrated. That would be a question for SmarterTools support or dev team. Hopefully they will chime in here over the next week to answer that for you. I called them today and they are still closed for the holidays so it may not be until Monday before they chime in here.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
echoDreamz Replied
Paul, this is one of my #1 requests for SM. Some modular API for SM for us to write our own .net integrations into SM. Though I understand their eh on that since all it takes is some crappy programmer writing an integration that makes SM crap on itself.

We have our own custom "declude" like service that processes emails out of the proc directory and moves them into the drop directory.

Reply to Thread