none
Mail Spoofing altough SPF / DMARC are deployed

    Question

  • Greetings,

    Please your support with this. We have a current mail spoofing attack. Some from an external IP is using our mail relays to send inbound spoofed messages.

    Ill copy the header and I dont understand why Exchange let them in altough we have Sender ID / SPF / DMARC

    Received: from xxx.xxxxx.xxx (Internal IP adress) by xxxx.xxxxx.xxx
     (Internal IP adress ) with Microsoft SMTP Server (TLS) id xx.x.xxx.x; Wed, 16 Mar
     2016 11:43:13 -0500
    Received: from [178.175.49.131] (178.175.49.131) by xxx.xxxxx.xxx
     (Internal IP adress) with Microsoft SMTP Server id xx.x.xxx.x; Wed, 16 Mar 2016
     11:43:08 -0500
    From: <Organization email>
    To: <organization email>
    Subject: Document2
    Thread-Topic: Document2
    Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg==
    Date: Wed, 16 Mar 2016 17:43:09 +0200
    Message-ID: <71C97C63C7AD64656424264EC@BORO-SBS.boro.local>
    Accept-Language: en-GB, en-US
    Content-Language: en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-originating-ip: [192.168.x.xx]
    Content-Type: multipart/mixed;
        boundary="_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_"
    MIME-Version: 1.0
    Return-Path: Organization email
    X-MS-Exchange-Organization-PRD: myexchange
    Received-SPF: Fail (xxx.xxxxxxxx.xxx: domain of xxxx@xxxxx.xxx
     does not designate 178.175.49.131 as permitted sender)
     receiver=xxx.xxxxxx.xxx; client-ip=178.175.49.131; helo=[178.175.49.131];
    X-KSE-ServerInfo: xxxxx.xxx, 9
    X-KSE-AntiSpam-Interceptor-Info: scan successful
    X-KSE-AntiSpam-Version: 5.5.9, Database issued on: 03/16/2016 16:28:08
    X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED
    X-KSE-AntiSpam-Method: none
    X-KSE-AntiSpam-Rate: 55
    X-KSE-AntiSpam-Info: Lua profiles 93080 [Mar 16 2016]
    X-KSE-AntiSpam-Info: LuaCore: 415 415
     56d27afa4611b5fc17406ce7708f83a66d615280
    X-KSE-AntiSpam-Info: Version: 5.5.9.3
    X-KSE-AntiSpam-Info: Envelope from: xxxxx@xxxxx.xxx.xxxx
    X-KSE-AntiSpam-Info: {relay has no DNS name}
    X-KSE-AntiSpam-Info: 127.0.0.200:7.1.3;domain:7.1.1;127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;178.175.49.131:7.3.4
    X-KSE-AntiSpam-Info: Auth:dmarc=fail header.from=domain
     policy=reject;spf=fail smtp.mailfrom=domain;dkim=none
    X-KSE-AntiSpam-Info: {rdns complete}
    X-KSE-AntiSpam-Info: dmarc_local_policy_1
    X-KSE-AntiSpam-Info: Rate: 55
    X-KSE-AntiSpam-Info: Status: not_detected
    X-KSE-AntiSpam-Info: Method: none
    X-KSE-AntiSpam-Info: Moebius-Timestamps: 4015174, 4015198, 0
    X-KSE-Antiphishing-Info: Clean
    X-KSE-Antiphishing-Method: None
    X-KSE-Antiphishing-Bases: 03/16/2016 16:32:00
    X-MS-Exchange-Organization-PCL: 2
    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Fail;OrigIP:178.175.49.131
    X-MS-Exchange-Organization-AVStamp-Mailbox: KasprLab;28094;0;0
    X-KSE-Antivirus-Interceptor-Info: scan successful
    X-KSE-Antivirus-Info: Clean
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-SenderIdResult: FAIL
    X-MS-Exchange-Organization-AuthSource: xxx.domain
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-Auto-Response-Suppress: DR, OOF, AutoReply


    Deal


    • Edited by D3al Wednesday, March 16, 2016 7:34 PM bad info
    Wednesday, March 16, 2016 6:08 PM

Answers

  • Exactly,

    In the real world block "zip" files is traumatic for the businessess. At this moment my AV solutions are recognising the malware and replace the attachment with a "Document1.zip.txt" file.

    My concern is with new pieces of malware.

    Andy, your information applies to office 365 EOP. Im on exhange 2010 servers. Dont have office 365 service.

    Altough the originationg IPs are in one or several blacklists portals, the email comes in because the mail spoofing. So I think we have to find the way to detect the spoofed email and put in quarantine.

    Where are that configs on Exchange?


    Deal

    You can create transport rules in Exchange 2010. I would take a look at them and see whats available to make a similar rule

    https://technet.microsoft.com/en-us/library/aa995961(v=exchg.141).aspx

    I dont know of too many anti-spam/anti-malware products that do not check inside compressed files. That's a pretty standard option. Unless they encrypted, you should be able to scan inside compressed files.

    The fact your AV solution is recognizing the malware is evidence of that.

    Now having said that, the ability to inspect inside compressed files doenst exist in 2010 as far as I know. It was introduced in Exchange 2013.


    Blog:    Twitter:   

    Thursday, March 17, 2016 2:15 PM

All replies

  • If you are using Kaperksy for your anti-spam, I would ask their support this question.


    Blog:    Twitter:   

    Wednesday, March 16, 2016 7:09 PM
  • Please look into X-MS headers. I'd opened a case with Kaspersky for the external IP that is blacklisted.

    X-MS-Exchange-Organization-PRD: myexchangeIPserver
    Received-SPF: Fail (xxx.xxxxxxxx.xxx: domain of xxxx@xxxxx.xxx
     does not designate 178.175.49.131 as permitted sender)
     receiver=xxx.xxxxxx.xxx; client-ip=178.175.49.131; helo=[178.175.49.131];

    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Fail;OrigIP:178.175.49.131

    X-MS-Exchange-Organization-SenderIdResult: FAIL

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Exchange-Organization-SCL: 0


    Deal

    Wednesday, March 16, 2016 7:51 PM
  • Please look into X-MS headers. I'd opened a case with Kaspersky for the external IP that is blacklisted.

    X-MS-Exchange-Organization-PRD: myexchangeIPserver
    Received-SPF: Fail (xxx.xxxxxxxx.xxx: domain of xxxx@xxxxx.xxx
     does not designate 178.175.49.131 as permitted sender)
     receiver=xxx.xxxxxx.xxx; client-ip=178.175.49.131; helo=[178.175.49.131];

    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus Fail;OrigIP:178.175.49.131

    X-MS-Exchange-Organization-SenderIdResult: FAIL

    X-MS-Exchange-Organization-AuthAs: Anonymous

    X-MS-Exchange-Organization-SCL: 0

    Deal

    Wednesday, March 16, 2016 7:51 PM
  • So you have anti-spam filtering enabled in Exchange? Why if you are using Kapersky for anti-spam?

    If you have it enabled or using the Edge role, then what is set for the senderid failure action?


    Blog:    Twitter:   

    Wednesday, March 16, 2016 8:25 PM
  • I found this post because I'm experiencing the same problem. The common header property that I'm seeing, which led me here is "Message ID: xxxx@BORO-SBS.boro.local", Using Exchange Admin Center>Mail Flow>Rules I added a condition looking for a "message header includes" "message-id" includes "@BORO-SBS.boro.local". For now I'm prepending subject with SPAM/SPOOF to test. We'll see if successful with the next wave of this junk.

    Wednesday, March 16, 2016 8:53 PM
  • So you have anti-spam filtering enabled in Exchange? Why if you are using Kapersky for anti-spam?

    If you have it enabled or using the Edge role, then what is set for the senderid failure action?


    Blog:    Twitter:   

    Greetings Andy, let me explain, I dont manage the servers, Im a security analyst that receives alerts/notifications.

    We receive a mail from "@ourdomain" but this mail is coming from an external IP (the one that is in text on header).It is clearly a spoofed mail (the IP is blacklisted to for example on mailcop). The question here is: We have SPF / DMARC in place so an inboud email coming from an external IP that doesnt belong to us (is not on our DNS registry) should not be enter to our mail boxes.

    We have Kaspersky for exchange for a few months so I cant answer your two first questions. Should we take off Exhange Anti-Spam configurations to only work with kaspersky?

    About the last question: it is configured on "Stamp the status"


    Deal


    • Edited by D3al Wednesday, March 16, 2016 10:23 PM
    Wednesday, March 16, 2016 10:18 PM
  • I am seeing the BORO-SBS emails coming in here with a payload of the Locky ransomware. I have added SPF to the domain now. The originating IP is blacklisted now but maybe wasn't earlier.

    I have noticed in Ex 2007 and 2010 that SPF anti spam doesn't actually work unless you have an external DNS resolver set. I have no idea why. But I've seen this on many servers.

    Wednesday, March 16, 2016 10:28 PM
  • So you have anti-spam filtering enabled in Exchange? Why if you are using Kapersky for anti-spam?

    If you have it enabled or using the Edge role, then what is set for the senderid failure action?


    Blog:    Twitter:   

    Greetings Andy, let me explain, I dont manage the servers, Im a security analyst that receives alerts/notifications.

    We receive a mail from "@ourdomain" but this mail is coming from an external IP (the one that is in text on header).It is clearly a spoofed mail (the IP is blacklisted to for example on mailcop). The question here is: We have SPF / DMARC in place so an inboud email coming from an external IP that doesnt belong to us (is not on our DNS registry) should not be enter to our mail boxes.

    We have Kaspersky for exchange for a few months so I cant answer your two first questions. Should we take off Exhange Anti-Spam configurations to only work with kaspersky?

    About the last question: it is configured on "Stamp the status"


    Deal


    Well, you probably don't need both, but maybe figure that out later.

    For your immediate issue, if you want to block spoofed messages that fail DMARC testing, you could create a transport rule similar to this:

    http://no-one-uses-email-anymore.com/transport-rules-versus-safe-sender-lists-in-office-365eop-quien-es-mas-macho/


    Blog:    Twitter:   

    • Proposed as answer by Roger Lu Thursday, March 17, 2016 11:26 AM
    Wednesday, March 16, 2016 11:17 PM
  • Thanks for this - I've just had an email to my home address, using a spoofed version of the same address as sender - as though I'd sent myself a zip.file. However the Message ID contains BORO-SBS.boro.local, so I found this page and this mention. 
    • Edited by dglp Thursday, March 17, 2016 7:58 AM
    Thursday, March 17, 2016 7:58 AM
  • I set up a spam filter on our email server which blocked every message containing the phrase BORO-SBS.boro.local

    It was working for a while but now some of our employees are receiving the same emails with random ID's instead of the one mentioned before.

    I found the article here: https://myonlinesecurity.co.uk/document1-pretending-to-come-from-your-own-email-address-js-malware-leads-to-locky-ransomware/


    Thursday, March 17, 2016 12:44 PM
  • Instead of trying to block by subject, or phrases, I would block all executables and by file extension. 

    Blog:    Twitter:   

    Thursday, March 17, 2016 1:39 PM
  • Instead of trying to block by subject, or phrases, I would block all executables and by file extension. 


    That is also doable, but the attachment comes in a zip archive. I cannot block zip archives because they are very popular. Inside the archive there is a JavaScript, but it's too late if anybody opens it.
    Thursday, March 17, 2016 1:41 PM
  • Exactly,

    In the real world block "zip" files is traumatic for the businessess. At this moment my AV solutions are recognising the malware and replace the attachment with a "Document1.zip.txt" file.

    My concern is with new pieces of malware.

    Andy, your information applies to office 365 EOP. Im on exhange 2010 servers. Dont have office 365 service.

    Altough the originationg IPs are in one or several blacklists portals, the email comes in because the mail spoofing. So I think we have to find the way to detect the spoofed email and put in quarantine.

    Where are that configs on Exchange?


    Deal

    Thursday, March 17, 2016 2:01 PM
  • Exactly,

    In the real world block "zip" files is traumatic for the businessess. At this moment my AV solutions are recognising the malware and replace the attachment with a "Document1.zip.txt" file.

    My concern is with new pieces of malware.

    Andy, your information applies to office 365 EOP. Im on exhange 2010 servers. Dont have office 365 service.

    Altough the originationg IPs are in one or several blacklists portals, the email comes in because the mail spoofing. So I think we have to find the way to detect the spoofed email and put in quarantine.

    Where are that configs on Exchange?


    Deal

    You can create transport rules in Exchange 2010. I would take a look at them and see whats available to make a similar rule

    https://technet.microsoft.com/en-us/library/aa995961(v=exchg.141).aspx

    I dont know of too many anti-spam/anti-malware products that do not check inside compressed files. That's a pretty standard option. Unless they encrypted, you should be able to scan inside compressed files.

    The fact your AV solution is recognizing the malware is evidence of that.

    Now having said that, the ability to inspect inside compressed files doenst exist in 2010 as far as I know. It was introduced in Exchange 2013.


    Blog:    Twitter:   

    Thursday, March 17, 2016 2:15 PM
  • This is a relatively new problem.

    I uploaded the infected attachment to virustotal and unfortunately only 8 out of 56 virus/malware scanners recognized it as infected. I copy here the report URL:

    https://www.virustotal.com/en/file/a947f4997bd5c807c7731f1d9602714657bf36bc518c2acd2a8905ffa0176e9f/analysis/

    Knowing this, i would not trust the receiver's AV solution.


    Thursday, March 17, 2016 2:28 PM
  • Greetings,

    I found two posts in order to harden Exchange with transport rules:

    http://markgossa.blogspot.com/2016/01/block-spoofed-email-exchange-2010-2013-2016-part1.html

    http://markgossa.blogspot.com/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html

    The spoofed emails contain DRIDEX & LOCKY malware.

    If someone have a list of C2 servers please attach


    Deal

    Wednesday, March 23, 2016 3:01 PM
  • Greetings,

    I found two posts in order to harden Exchange with transport rules:

    http://markgossa.blogspot.com/2016/01/block-spoofed-email-exchange-2010-2013-2016-part1.html

    http://markgossa.blogspot.com/2016/01/block-spoofed-email-exchange-2010-2013-2016-part2.html

    The spoofed emails contain DRIDEX & LOCKY malware.

    If someone have a list of C2 servers please attach


    Deal

    I would not set SPF for a hardfail unless you are very confident about the quality of your SPF records.

    Blog:    Twitter:   

    Wednesday, March 23, 2016 3:27 PM
  • I would not set SPF for a hardfail unless you are very confident about the quality of your SPF records.

    Blog:    Twitter:   

    You're right. Specially for enviroments with 3rd party mail senders. BTW there are a lot of sites to test SPF records.

    Hardfail is a "must" to prevent spoofing


    Deal

    Wednesday, March 23, 2016 4:16 PM
  • I would not set SPF for a hardfail unless you are very confident about the quality of your SPF records.

    Blog:    Twitter:   

    You're right. Specially for enviroments with 3rd party mail senders. BTW there are a lot of sites to test SPF records.

    Hardfail is a "must" to prevent spoofing


    Deal

    I would argue that using  DMARC is a better option  and leverage SPF, but not using hardfail unless you are absolutely positive on the results. 

    Blog:    Twitter:   

    Wednesday, March 23, 2016 4:47 PM
  • Greetings,

    someone help please. 

    IDSender: FAIL  SPF: FAIL, but still the spoofed mail enters. I suppose that with this configuration this mail should't enter to the mailbox

      Received: from dsl-187-138-87-143-dyn.prod-infinitum.com.mx (187.138.87.143) by mydomain.com (x.x.x.x) with Microsoft SMTP Server id xx.x.xxx.x; Thu, 12 May 2016 04:47:26 -0500

      Content-Type: multipart/mixed

      Content-Transfer-Encoding: 7bit

      MIME-Version: 1.0 (1.0)

      Date: Thu, 12 May 2016 04:47:23 -0500

      Subject: Document

      Message-ID: <Apple-Mail-80F2E299-9C37-FE26-42A4-C2C1DDF43AAD@spoofeddomain.com>

      X-Mailer: iPhone Mail ({rndhex(6,6}})

      Return-Path: user@mydomain.com

      X-MS-Exchange-Organization-OriginalArrivalTime: 12 May 2016 09:47:26.1754 (UTC)

      X-MS-Exchange-Organization-OriginalClientIPAddress: 187.138.87.143

      X-MS-Exchange-Organization-OriginalServerIPAddress: x.x.x.x (my_mail_IPadress)

      X-MS-Exchange-Organization-AuthSource: mx.mydomain.com

      X-MS-Exchange-Organization-AuthAs: Anonymous

      X-MS-Exchange-Organization-MessageDirectionality: Incoming

      X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: mx.mydomain.com

      X-MS-Exchange-Organization-PRD: mydomain.com

      X-MS-Exchange-Organization-SenderIdResult: Fail

      Received-SPF: Fail (mx.mydomain.com: domain of user@mydomain.com does not designate 187.138.87.143 as permitted sender) receiver=mx.mydomain.com; client-ip=187.138.87.143; helo=dsl-187-138-87-143-dyn.prod-infinitum.com.mx;

      X-MS-Exchange-Organization-SCL: 1

      X-MS-Exchange-Organization-PCL: 2

      X-MS-Exchange-Organization-Antispam-Report: DV:3.3.16001.886;SID:SenderIDStatus Fail;OrigIP:187.138.87.143

      X-MS-Exchange-Organization-OriginalSize: 67107

      X-MS-Exchange-Forest-MessageScope: 00000000-0000-0000-0000-000000000000

      X-MS-Exchange-Organization-MessageScope: 00000000-0000-0000-0000-000000000000

      X-MS-Exchange-Organization-HygienePolicy: Standard


    Deal



    • Edited by D3al Thursday, May 19, 2016 8:38 PM delete an domain
    Thursday, May 19, 2016 8:35 PM
  • No one?

    Greetings,

    someone help please. 

    IDSender: FAIL  SPF: FAIL, but still the spoofed mail enters. I suppose that with this configuration this mail should't enter to the mailbox

      Received: from dsl-187-138-87-143-dyn.prod-infinitum.com.mx (187.138.87.143) by mydomain.com (x.x.x.x) with Microsoft SMTP Server id xx.x.xxx.x; Thu, 12 May 2016 04:47:26 -0500

      Content-Type: multipart/mixed

      Content-Transfer-Encoding: 7bit

      MIME-Version: 1.0 (1.0)

      Date: Thu, 12 May 2016 04:47:23 -0500

      Subject: Document

      Message-ID: <Apple-Mail-80F2E299-9C37-FE26-42A4-C2C1DDF43AAD@spoofeddomain.com>

      X-Mailer: iPhone Mail ({rndhex(6,6}})

      Return-Path: user@mydomain.com

      X-MS-Exchange-Organization-OriginalArrivalTime: 12 May 2016 09:47:26.1754 (UTC)

      X-MS-Exchange-Organization-OriginalClientIPAddress: 187.138.87.143

      X-MS-Exchange-Organization-OriginalServerIPAddress: x.x.x.x (my_mail_IPadress)

      X-MS-Exchange-Organization-AuthSource: mx.mydomain.com

      X-MS-Exchange-Organization-AuthAs: Anonymous

      X-MS-Exchange-Organization-MessageDirectionality: Incoming

      X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: mx.mydomain.com

      X-MS-Exchange-Organization-PRD: mydomain.com

      X-MS-Exchange-Organization-SenderIdResult: Fail

      Received-SPF: Fail (mx.mydomain.com: domain of user@mydomain.com does not designate 187.138.87.143 as permitted sender) receiver=mx.mydomain.com; client-ip=187.138.87.143; helo=dsl-187-138-87-143-dyn.prod-infinitum.com.mx;

      X-MS-Exchange-Organization-SCL: 1

      X-MS-Exchange-Organization-PCL: 2

      X-MS-Exchange-Organization-Antispam-Report: DV:3.3.16001.886;SID:SenderIDStatus Fail;OrigIP:187.138.87.143

      X-MS-Exchange-Organization-OriginalSize: 67107

      X-MS-Exchange-Forest-MessageScope: 00000000-0000-0000-0000-000000000000

      X-MS-Exchange-Organization-MessageScope: 00000000-0000-0000-0000-000000000000

      X-MS-Exchange-Organization-HygienePolicy: Standard


    Deal





    Deal

    Friday, May 20, 2016 8:25 PM