Skip to main content

Filtering out spoofed emails in Outlook

I recently had a rash of email come in through my SBS 2008 (Exchange 2007) server purporting to be from eBay, Amazon etc.

They were, of course, phishing emails but they were “close enough” to the real thing to get low SCL (Spam Confidence Level) and PCL (phishing confidence level) and hence were not rejected by the anti-spam features in Exchange 2007.

They were however marked as “fail” or “softfail” by the SenderID checks (Sender Policy Framework aka SPF defines which hosts are allowed to send mail “on behalf of” a given email domain). Since the spammers weren’t on the allowed list, the email was failed the SenderID check.

So, how do we ensure that emails that fail the SenderID check don’t get delivered to the user’s inbox?

Well, the more dramatic solution is to just reject or delete any emails that fail the test. You can read how to do that here - http://technet.microsoft.com/en-us/library/bb125259.aspx 

That was a bit drastic at this stage so I found another solution here (http://serverfault.com/questions/37232/exchange-2007-move-messages-with-senderid-fail-to-junk-mail-folder) which worked a treat.

The suggested solution is easy to implement – create an inbox rule to move messages that contain “fail” or “softfail” messages to the JunkMail folder.

The text strings I used were:

X-MS-Exchange-Organization-SenderIdResult: Fail or
X-MS-Exchange-Organization-SenderIdResult: SoftFail

image

And since then, nary a hint of spoofed email in my inbox!

Comments

Post a Comment

Popular posts from this blog

So what else does Operations do? Well, there is a whole organisation run by the UK govermnent to help answer that question! ITIL , or the IT Infrastructure Library, is a library of best practice information that basically tells you everything you need to do to run an IT department. Similarly developers have development methodologies such as RAD, JAD, Agile/XP, and Project Managers have PM methodologies such as Prince 2, PMBok etc to cover off their areas in more specific detail. ITIL breaks it down into 7 key areas: Service Support - deals with the actual provision of IT services such as the service (help) desk, incident management, problem management, release management etc Service Delivery - deals with ensuring that you can continue to DELIVER the service support functions with things like contigency planning, capacity management, service levels etc The Business Perspective - helps to ensure that the IT function is aligned with the organisation's business strategy and that how to...
2 comments
Read more

Top 13 Website Crashes of 2010?

I was doing a bit of research for an article and I started compiling a list of high-profile website crashes in 2010. Pingdom have published a list here - http://www.readwriteweb.com/archives/major_internet_incidents_and_outages_of_2010.php as have Alertsite here - http://www.huffingtonpost.com/2010/12/29/the-biggest-web-outages-o_n_801943.html But I decided to compile my own list from a more UK-centric perspective and came up with my “baker’s dozen” below. # Site Date News Link 1 National Rail Jan-10 http://www.theregister.co.uk/2010/01/05/rail_chaos/ 2 Outnet Apr-10 http://www.guardian.co.uk/lifeandstyle/blog/2010/apr/16/outnet-sale-website-crash 3 Apple (iPhone 4 Launch) Jun-10 http://www.dailymail.co.uk/sciencetech/article-1286756/Apple-iPhone-4-pre-order-Website-crashes-new-iPhone-goes-sale.html 4 ITV.com (World C...
2 comments
Read more

Using Gmail aliases to create multiple test email accounts for QA

Came across this today when someone wanted to know how to create multiple email test accounts without involving their IT department (don’t ask!) or managing multiple free email accounts. Gmail allows you to create aliases for your email address automatically. For example, if your Gmail account is joe.bloggs@gmail.com then joe.bloggs+test.case01@gmail.com will work for your account – anything after the “+” sign can be used to create an alias.  These emails will be delivered to your normal Gmail inbox. So when you are testing you can use +test.case01, +test.case02, +test.case03 and so on as your test email addresses (assuming that your application doesn’t get upset at the use of the “+” in an email address. It shouldn’t, its a valid character in the RFC http://tools.ietf.org/html/rfc3696#page-5 ) So lets say you want to filter these test emails and label so they don’t get lost in your Inbox. Easy, just use a Gmail filter and search for a whatever common “stem” you used ...
2 comments
Read more