0

It would be impossible to be anymore of a newbie than I am dealing with SA and rules etc..etc.. I am having an issue and have searched high and low on the net and I get some info that sort of seems to answer the question, but to this point nothing is working to fix my issue... so... please help, anyone?

One particular problem I have been having with a client site is a spoofed "reply to" input. Actually let me show you an example.

From: rh60 info@realdomain.com

Date: June 30, 2021 at 3:56:29 AM EDT

To: info@realdomain.com

Subject: New Message From Real Domain

Reply-To: ""rh60"" ld5@michio810.sho99.mokomichi.xyz, rh60 info@realdomain.com

If you look above you will see I have changed the client's actual domain to "realdomain.com" for this email. But in the "FROM" field it is showing a legit email address from within their domain. The "TO" field is also legit.

The only thing that is clearly wrong is the first entry in the "REPLY TO" line you can see the spammers actual email or a placeholder.

My question is can I set up a rule that would filter a message like this as SPAM and have it not go to the client? For this ONE particular client as they would NEVER send an email with TWO reply-to addresses in one email.

I am completely clueless as to how to go about this, can I put some sort of wildcard in a rule so if there are TWO addresses in the reply-to it is spam? Can the rule be set PER domain... sorry not joking about being new.

Thoughts?

BKKcanuck
  • 1
  • There is a difference between marking as spam and blocking/discarding. Which are you trying to achieve? – Paul Jul 04 '21 at 15:26
  • Oh sorry about that, my complete lack of knowledge shining through. I would like in a perfect world to just block/discard them – BKKcanuck Jul 04 '21 at 18:05

1 Answers1

0

Honestly I think the effect you would like to establish with your intended rule is not fully possible since the filtering process takes place at the receiving side. As far as I know the only tools at our disposal with which we can tell receivers of our e-mail messages how to handle mail that's claiming to come from our domain's mailbox are the SPF, DKIM, and DMARC records. However if your original intention is to have spoofed e-mail discarded by the receivers those tools are exactly what you need.

  • The SPF record of a domain tells any server that checks it which servers are authorized to be sending messages in the name of that domain.
  • The DKIM record publishes a public key. Each message send using DKIM is signed with a specific hash that a receiver can match with that public key.
  • The DMARC record tries to enforce that both SPF and DKIM are correctly setup for each message that's claiming to have been send from a domain's mailbox and makes it possible to have the receiving servers report back about anomalies.

Although all 3 of those records may be ignored by a receiving server - if the network administrator felt like setting it up that way - in general they are not, so any spoofed e-mail should fail some or all checks on those records, and ideally be discarded.

D.Bartenstein
  • 1