Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Blocking spoofed internal email from external sources SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Blocking spoofed internal email from external sources

One suggestion from Chris in the UK.

SPF is a red herring here - you surely know what IP address(s) are yours (and hence may send mail using *your* domain).  You don't need SPF to tell you this.  Simply reject any such mails received from off-net.

Unfortunately, this will cause false positives e.g where someone posts to a remote mailing list.  The mail goes out then comes back in from a remote IP, (the list server) with your domain still as From: header.  Hence the sender doesn't get their own copy, nor does anyone else in your organisation who subscribes.

One solution is to add a special header to all mail you originate, so you can recognise it if comes via such a route.  This isn't cast iron, as it could be spoofed by a determined attacker, so some form of signing would be better in theory (domain keys?).  Nevertheless, I know some UK university sites who use the header method with good results.

Then there's the remote e-card type sites that originate greeting mails with your domain - but losing these is probably not the end of the world...



I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SANS Cyber Defence Asia Pacific 2021

Adrien de Beaupre

353 Posts
ISC Handler
Jun 26th 2007

Sign Up for Free or Log In to start participating in the conversation!