Users are receiving spam from themselves when using Mail Assure filtering

Last Modified

Tue Apr 14 16:22 GMT 2020

Description

  • Users on an inbound filtered domain are receiving messages which appear to be sent from themselves, or their own domain.
  • How can these messages be stopped?

Environment

  • N-able Mail Assure

Solution

  • NOTE: Messages which have a from address showing in the message headers, which impersonates an address which is not the sender, are referred to as phish attempts.
    • The SMTP Envelope (MAIL FROM) address is mainly used for message routing, and rarely displays to the recipient.
    • The header FROM: address is what is shown to the recipient in their mail client. There are several reasons why this can be used legitimately when sending messages.
  • All filtered messages appear in the inbound message logs.
  • If the messages do not appear in the Incoming > Logs search results (after at least 10 minutes of being received), the message may be received by the recipients server directly.
    • To check if the message was processed by the filter, open the message headers for the original message (not a forwarded version), from the recipients mail client (client specific instructions are available online).
    • Search for a Received: header value, containing a server name *.antispamcloud.com (e.g. mx100.antispamcloud.com).
      • If no antispamcloud.com host-names are present in the headers, the message did not pass through the filter.
    • If using Microsoft 365 - Exchange Online, the system can be modified to reject mail if it was not sent through the spam filter. For more information, see Mail AssureMicrosoft 365 Header Based Configuration.
    • For all other recipient servers, configure the mail server (MTA) to only receive mail from the Mail Assure delivery IP ranges, and reject all mail not from these ranges. Guides are available online for most server types.
  • SPF records will provide protection against the SMTP Envelope MAIL FROM: address being impersonated, verifying that the IP address used to transmit the message is authorized by the senders TXT record (For domains only using Mail Assure to send mail, this should be "v=spf1 include:spf.mtaroutes.com -all") when this includes only. For more information, see the Set up SPF.
    • SPF will not prevent, FROM header spoofing. check is made at the connection level, before the FROM address is received.
  • DMARC Records when configured correctly, in conjunction with an SPF record, will prevent either (or both), the envelope and header FROM addresses from being spoofed.
    • Both the Envelope MAIL FROM, and header FROM addresses will be checked against the authorized IP addresses in the SPF record, with control over failures being controlled by the claimed sending domain (None/Reject/Quarantine).