Users are receiving spoof emails from our own email addresses, how to stop?  O365 and AppRiver spam filter.

g8rcub
g8rcub used Ask the Experts™
on
Many of my users (including myself) have been receiving spoof emails that appear to come from ourselves with our own emails.  Most of them are caught in the junk filter but now some are sneaking through.  My users know these are not real but they are becoming annoying.

What can I do to try to stop this?  We use O365 and AppRiver as a spam filter.

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bbaoIT Consultant

Commented:
is it possible for you to upload two things for review?

1. a screenshot showing how the spoof emails look like.

2. source code of email header of one of the emails.

thanks.
Dr. KlahnPrincipal Software Engineer

Commented:
Configure your MTA or prefilter to deny any email from email addresses using your domain name that is coming from outside your LAN (or alternately, not coming from inside your LAN, whichever is easier).

This will have fallout, of course.  Nobody will be able to send email when they are outside the office unless they are using a secured and encrypted VPN to tunnel back into the office LAN.  But, since it looks like your firm is a law firm, that should be the normal state of affairs in any case.
Kundan GuptaSenior Administrator

Commented:
I would suggest to Review the SPAM filter policy and enable Spoof intelligence in Office365.
Also, Apply some Keyword-based Trasport rule to block and redirect/quarantine those emails to another monitoring mailbox.


Regards
Kundan

Author

Commented:
Thank you guys.  Dr. Klahn, we are not a law firm, that ymblaw.com appears to be where the email may have been sent from perhaps?  I guess I could block that domain?  But we receive others that come from different places too.  Most have been caught in our spam filter but I'd like to block as many as I can.

I can't have my users not be able to send from outside the office, most of our staff are on the road a good part of the day.

Kundan, I looked into the Spoof Intelligence in O365.  It looks like it is already enabled.  The user that was spoofed in what I provided above (bmacelli) was listed, it said authentication result: Failed.  There were also many other people listed in the Spoofed user list, all in my organization.  They all said failed for Authentication result.

There is an allowed to spoof setting, and it is set to Yes.  If I set this to no for the users listed in the Spoofed User list, will that prevent this from happening?
Senior Administrator
Commented:
g8rcub , I think you also need to check domain validation records, like what i see is your domain does not have SPF. The below link may help you.

Enable SPF and DKIM. Will help in increasing security. Raise a ticket with app river to get recommendations and support in setting up

https://support.appriver.com/kb/a253/spf-record-setup-for-appriver-hosted-services.aspx
https://support.appriver.com/kb/a1015/best-practices-to-prevent-email-spoofing.aspx

Create a transport rule to block emails X-Country-Path, X-MS-Exchange-Organization-AuthAs email properties.

Regards
Kundan

Author

Commented:
We enabled SPF and DKIM and have seen a decrease in spam, thank you all for the assistance with this.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial