Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Preventing spoofed internal e-mail - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Preventing spoofed internal e-mail

Nick submitted a nice piece of malware we are currently looking at. The malware itself includes a nice rootkit that doesn't appear to be detected with common rootkit tools. However, in my opinion, the delivery method was noteworthy. It used a spoofed internal sender. This made me wonder what's the best way to block e-mail that comes from outside mail servers, but claims an internal "From:" header.

My first guess would be that this is a great reason to enable SPF. Will this work?  I am assuming that it is a standard policy to require employees to use a VPN connection or "something like that" to send e-mail using an internal mail server.

Any other ideas?

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019


3630 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!