I recently had a rash of email come in through my SBS 2008 (Exchange 2007) server purporting to be from eBay, Amazon etc.
They were, of course, phishing emails but they were “close enough” to the real thing to get low SCL (Spam Confidence Level) and PCL (phishing confidence level) and hence were not rejected by the anti-spam features in Exchange 2007.
They were however marked as “fail” or “softfail” by the SenderID checks (Sender Policy Framework aka SPF defines which hosts are allowed to send mail “on behalf of” a given email domain). Since the spammers weren’t on the allowed list, the email was failed the SenderID check.
So, how do we ensure that emails that fail the SenderID check don’t get delivered to the user’s inbox?
Well, the more dramatic solution is to just reject or delete any emails that fail the test. You can read how to do that here - http://technet.microsoft.com/en-us/library/bb125259.aspx
That was a bit drastic at this stage so I found another solution here (http://serverfault.com/questions/37232/exchange-2007-move-messages-with-senderid-fail-to-junk-mail-folder) which worked a treat.
The suggested solution is easy to implement – create an inbox rule to move messages that contain “fail” or “softfail” messages to the JunkMail folder.
The text strings I used were:
X-MS-Exchange-Organization-SenderIdResult: Fail or
X-MS-Exchange-Organization-SenderIdResult: SoftFail
And since then, nary a hint of spoofed email in my inbox!
Comments