Blocking spoofed internal email from external sources

Blocking spoofed internal email from external sources
One suggestion from Chris in the UK. SPF is a red herring here - you surely know what IP address(s) are yours (and hence may send mail using your domain). You don't need SPF to tell you this. Simply reject any such mails received from off-net. Unfortunately, this will cause false positives e.g where someone posts to a remote mailing list. The mail goes out then comes back in from a remote IP, (the list server) with your domain still as From: header. Hence the sender doesn't get their own copy, nor does anyone else in your organisation who subscribes. One solution is to add a special header to all mail you originate, so you can recognise it if comes via such a route. This isn't cast iron, as it could be spoofed by a determined attacker, so some form of signing would be better in theory (domain keys?). Nevertheless, I know some UK university sites who use the header method with good results. Then there's the remote e-card type sites that originate greeting mails with your domain - but losing these is probably not the end of the world... Cheers, Adrien I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SANS Cyber Defence Asia Pacific 2021	Adrien de Beaupre 353 Posts ISC Handler Jun 26th 2007
Thread locked Subscribe	Jun 26th 2007 1 decade ago