We help IT Professionals succeed at work.

Check Spoof email

AXISHK
AXISHK asked
on
324 Views
Last Modified: 2017-04-25
We have recevied several email where the display name show our company email address but the actual sender address is logged as aol.com in our IMSVA gateway.

Even though we have enabled SPF and check the sender and receipt address, does it mean usefulness as the checking will only be triggered when the sender and recipent are in the same domain. How should I track these kind of cases ?


Thx
Comment
Watch Question

Muhammad BurhanManager I.T.
CERTIFIED EXPERT
Top Expert 2015

Commented:
PTR (reverse lookup) verification with DNS-BL will definitely block them.

Commented:
It sounds like your SPF settings are either not correct or your mailserver isn't processing SPF as you intended.

Once SPF is properly implemented you cannot get messages from your own domain without the sender doing a lot of work.
SPF does introduce a problem with message forwarding etc. There is a framework in place called SRS (Sender Rewrite Service) which allows for the correct operation of SPF with forwarded messages, but very few mailservers are configured to use it.

What mail server are you using?

Colin
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
This is where DMARC and SPF come into play. Are you at least making use of SPF already?

Author

Commented:
SPF have been setup and test well in mxtool.

But any reference on setting up the e DMARC ? I used Trend Micro IMSVA and Exchange 2010.

Thx
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
At best that I know is on DKIM Signing which should also suffice.

https://docs.trendmicro.com/all/ent/imsva/v9.0/en-us/imsva_9.0_olh/imsva_smtp_routing_dkim_cfg.html

However I saw
In a nutshell, DMARC is another type of DNS TXT record that builds on SPF and DKIM records and can be configured to specifically tells email filters to reject emails that did not originate from the senders authorized from the SPF or DKIM records. This is enough to stop spoofed emails cold in their tracks. Here is an example of a DMARC record:

v=DMARC1; p=quarantine; rua=mailto:postmaster@myemaildomain.com

What this does is to send items to quarantine if the SPF record or DKIM checks fail, and to send reports to an email address that you specify.
http://www.thecloudtechnologist.com/how-to-stop-email-spoofing-using-dmarc/
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.