none
Blocking Senders with different Reply To and From Addresses RRS feed

  • Question

  • Hi,

    We are looking to block any emails which have their "Reply-To" and "From" addresses different.

    This is in attempt to avoid spoofed emails from affecting us.

    Checked on a few forums, but could not find any Microsoft official documents on why or why not it should be done.

    If anyone can please help, with MS documentation, on why it can cause issues, that would be helpful.

    Thanks.

    Monday, July 15, 2019 3:55 PM

All replies

  • Hi.

    It's not MS document, but I hope can help you.

    Troubleshooting and Identifying Spoofing Attacks

    PS. On article describe dynamic blocking this type messages by SPF, DMARC, and DKIM.

    On-Premises Exchange: DKIM and DMARC setup

    SenderID, SPF, DKIM and DMARC in Exchange 2016 – Part I


    MCITP, MCSE. Regards, Oleg

    Monday, July 15, 2019 4:10 PM
  • You can find the Reply-To option in  the message header. Based on that you can block the emails for users with an outlook rule or for all the users using a transport rule.DO NOT block all the emails which have Reply-To addresses as most of the customer support teams use this while sending out an email so that the response is received by their whole team instead of an individual.

    You can use a different approach(Apply a disclaimer or redirecting to quarantine) instead of blocking all emails so that you won't miss the legitimate one's.

    Monday, July 15, 2019 4:15 PM
  • Thanks. If you may have any MS document saying that it is not a good practice to block such emails, which I know it isnt, but management won't understand unless it comes from Microsoft.

    That would be really helpful.

    Monday, July 15, 2019 7:37 PM
  • Thanks. If you may have any MS document saying that it is not a good practice to block such emails, which I know it isnt, but management won't understand unless it comes from Microsoft.

    That would be really helpful.

    Monday, July 15, 2019 7:37 PM
  • This indeed a Microsoft document: Troubleshooting and Identifying Spoofing Attacks, it mentioned that SPF and DMARC will detect attacks that use the Reply-To header. 

    Ensure that you have implemented SPF and DMARC for your orgnization.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, July 16, 2019 7:00 AM
    Moderator
  • Thanks.

    I am looking for MS Document stating that it is a bad idea to quarantine emails that have different reply to and from addresses.

    Thanks. 

    Tuesday, July 16, 2019 6:56 PM
  • Thanks.

    I am looking for MS Document stating that it is a bad idea to quarantine emails that have different reply to and from addresses.

    Thanks. 

    As far as I know, no MS document would state it is a bad idea, since you have a risk of spoofing if the two headers are different.

    So in case of the spoofing and junk emails, we suggest you implement the SPF, DMARC records and let it judge whether the message is safe.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, July 17, 2019 9:41 AM
    Moderator
  • Just checking in to see if above information was helpful. Please let us know if you would like further assistance.

    Regards, 

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, July 22, 2019 10:22 AM
    Moderator