Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Blocking spoofed internal email from external sources SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Blocking spoofed internal email from external sources

One suggestion from Chris in the UK.

SPF is a red herring here - you surely know what IP address(s) are yours (and hence may send mail using *your* domain).  You don't need SPF to tell you this.  Simply reject any such mails received from off-net.



Unfortunately, this will cause false positives e.g where someone posts to a remote mailing list.  The mail goes out then comes back in from a remote IP, (the list server) with your domain still as From: header.  Hence the sender doesn't get their own copy, nor does anyone else in your organisation who subscribes.



One solution is to add a special header to all mail you originate, so you can recognise it if comes via such a route.  This isn't cast iron, as it could be spoofed by a determined attacker, so some form of signing would be better in theory (domain keys?).  Nevertheless, I know some UK university sites who use the header method with good results.



Then there's the remote e-card type sites that originate greeting mails with your domain - but losing these is probably not the end of the world...

Cheers,

Adrien

I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SANS Europe Pen Test Special 2020

Adrien de Beaupre

353 Posts
ISC Handler
Jun 26th 2007

Sign Up for Free or Log In to start participating in the conversation!