Phishing Email

Hi,

We need to block such emails from reaching to end users. Our Anti Spam software (Cloud based) cannot stop it.

See below, The spammer somehow managed to change the reply address in the header so when the user reads the email and press reply, it goes to different recipient.  

They also change the @Company.com to @CompanyX.com so that end user do not notice much.
Also the From email and actual sender email is different and hidden under a envelop.

How we can fix this issues ?
Is there a way we can setup something in exchange to only allow emails with same FROM and reply to address ?  

Received: from MAIL2.ad.int (10.19.2.89) by MAIL1.ad.int with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Mailbox
Transport; Thu, 11 Jun 2015 10:52:37 -0400
Received: from CAS1.ad.int (10.19.2.18) by MAIL2.ad.int  with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 11 Jun
2015 10:52:36 -0400
Received: from mail2.Company.com (192.168.0.143) by CAS1.ad.int with Microsoft SMTP Server id 15.0.1044.25 via Frontend
Transport; Thu, 11 Jun 2015 10:52:37 -0400
X-AuditID: c0a8008f-f79096d000001fd7-74-5579a0b4fbbd
Received: from mx.expurgate.net (mx.expurgate.net [194.15.24.10])
               by mail2.Company.com (Symantec Mail Security) with SMTP id 94.97.08151.4B0A9755; Thu, 11 Jun 2015 10:52:37 -0400 (EDT)
Received: from mx.expurgate.net (helo=localhost)
               by mx.expurgate.net with esmtp
               id 1Z33qO-0003A8-CU
               for Simon@Company.com; Thu, 11 Jun 2015 16:52:36 +0200
Received: from [173.21.19.12] (helo=p3plwbeout14-01.prod.phx3.secureserver.net)
               by mx.expurgate.net with ESMTP (eXpurgate 4.0.3)
               (envelope-from <athreadgill@prizm-medical.com>)
               id 5579a0b3-2426-adc9c0b6a5fb-1
               for <Simon@Company.com>; Thu, 11 Jun 2015 16:52:36 +0200
Received: from localhost ([173.201.19.24])
               by p3plwbeout14-01.prod.phx3.secureserver.net with bizsmtp
               id f2sa1q0025GqY0l012sawu; Thu, 11 Jun 2015 07:52:34 -0700
X-SID: f2sa1q0025GqY0l01
Received: (qmail 9847 invoked by uid 99); 11 Jun 2015 14:52:34 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 216.157.87.144
User-Agent: Workspace Webmail 5.14.0
Message-ID: <20150611075232.72ca5e260030d244444a6e3ebce15650.6d0305651a.wbe@email14.secureserver.net>
From: Steve <steve@Company.com>
X-Sender: athreadgill@prizm-medical.com
Reply-To: Steve  <Steve@CompanyX.com>
To: <Simon@Company.com>
Subject: Payment
Date: Thu, 11 Jun 2015 07:52:32 -0700
MIME-Version: 1.0
X-purgate-ID: expurgator-d26b21/1434034356-00002426-7129BB3B/0/0
X-purgate-type: clean
X-purgate-size: 787
X-purgate: clean
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRWlGSWpSXmKPExsVyaOKDPN2tCypDDQ594bQ4dXAymwOjx7VJ
               x5gCGKO4bFJSczLLUov07RK4Mhq+TGcumMxW8axzG3sD42nWLkZODgkBE4nu6d9ZIGwxiQv3
               1rN1MXJxCAnsY5RYsPIeO4SziFHiwewTUJlpTBL/ru5ihnCWMUrs3fqWDaJfQmLy/ilMILaQ
               gItEa+tGsDizgLbEsoWvmSFsDYnWOXPZIeoVJHZ37Qe7Q1RAReLeqUawOK9AqsTeExA1bAKa
               EtcvLACyOYDq1SUmXQmAGK8rsXnjekYQW0RAXOLP68lgtrCAgMSJ9rlgNouAqsTVNZfZQFp5
               BQQl/u4QhtjqIDFrzhKoj0UlHp47zwxhC0v8W/kM6hMBibtfZrNMYJSYheSBWUgemIUwdQEj
               8ypGodzEzBwjveT83ILS9NQ8EGMTIzB6Dqxg6N/B+HCH/iFGAQ5GJR7ehvMVoUKsiWXFlbmH
               GCU4mJVEeB9PrgwV4k1JrKxKLcqPLyrNSS0+xCjNwaIkzit11CNUSCA9sSQ1OzW1ILUIJsvE
               wQ4iOE8xKkqJ8y6bDzRAoLggMTejNK8EpgqWOi4xGnMwCfEUVxbHJ+bk5JfHZxYIseTl56VK
               CfMyMjAwCPEADc7NLEHV9YhRkOMluxAbF1NqnoCYFERDA2NVv+q1HfdaYlK6hB/EzL3MvE7v
               6HsFAd6TRes2u9w+cdG4x+OSpaLQja3H9gek9RSKXLjQ1rBsrt6xCLb9yScmWiwyn/U4V2BD
               0MIZ/iqsl1x43JtnqB2t/px7LWiF7OItO22eTGlabC72RefOxtvMt22UThndnlOY+SZdplr/
               w6rufnnJPS5KLMUZiYZazEXFiQC7B/tlDQMAAA==
Return-Path: athreadgill@prizm-medical.com
X-MS-Exchange-Organization-Network-Message-Id: 8c302a5e-8680-440d-bd70-08d2726d6413
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXutTf;1172500;0;This mail has
been scanned by Trend Micro ScanMail for Microsoft Exchange;
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-AuthSource: CAS1.ad.int
X-MS-Exchange-Organization-AuthAs: Anonymous
Mac80Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Reply-To: is a parameter set by the user.

You need to setup SPF/DOMAINKEYS and validate your incoming using those rules meaning a anyone misusing your domain to send emails will be tagged as spam and depending on your rules those message could be rejected if/when strict enforcement of SPF rules

You should notify goddady as this email was generated within their web based email interface.
It clearly identifies the user whose credentials were used to authenticate into the interface as well as the IP from which the connection to the web interface was made.

Include the header info you posted in the email/submission.
Mac80Author Commented:
How  I can setup SPF/DOMAIN Keys ?
Is it done on Exchange ? Sorry, I have limited information on it.
arnoldCommented:
SPF deals with creating a text entry in DNS
Domain.com. IN TXT "v=SPF ...
Here you would want to specify the policy
Ip: IP based rule
MX based on designated Mail server for the domain
PTR based on reverse resolution.
A record based
..
-all strict deny if not matched
~all leaves it to the receiving servers discretion.

There are Several wizards on the net that help you create the entry which you can then
Check with your cloud filtering provider if they can handle SPF verification.
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

arnoldCommented:
Forgot the link www.openspf.org overs the framework.

Look at domain keys through to see if it is a viable option toimplement on your exchange.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mac80Author Commented:
Our Cloud Provider cannot handle SPF.
Can we do that at exchange level ?
arnoldCommented:
You have a Symantec mail fronting before it hits your exchange server.

Which versions of the two do you have.  Check whether the Symantec mail can handle some anti-spamming.
The difficulty the enforcements of SPF is based on the server delivering the email rather than the data within.

This is why support on the cloud.

One Option you could look into if all messages are being sent through your server to include a Header parameter such as X-UNIQUE: some identifier.
if this is not present when the From: uses your local domain, tag the message as suspicious. Does your Symantec quarantine messages?

The link to an older EE post may help you
http://www.experts-exchange.com/Networking/Protocols/Email/Q_25479995.html
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.