We had an interesting issue with one of our customers the other day: users reported that they were receiving spoofed email from the CEO. I’ve replicated the issue so in this scenario, email was received from Rick Mehew (fictional CEO for Contoso.com):
- Sender: Rick Mehew <rick.mehew@gmail.com>
- Recipient: mark.gossa@contoso.com
- Subject: Afternoon meeting
The from address is clearly not a contoso.com email and so the problem is that the sender’s display name is correct and this is catching users out as they don’t always see the email address, for example in Outlook or on mobile devices. So, we now need a way to block or perform some other action on these emails.
Message headers
To find out more information about the email, the first thing I did was to use Search-Mailbox to retreve the email from the user’s mailbox and view the message headers which are below:
Received: from mbx01.contoso.com (192.168.1.2) by
mbx01.contoso.com (192.168.1.2) with Microsoft SMTP Server (TLS) id
15.0.913.22 via Mailbox Transport; Fri, 8 Jan 2016 09:51:28 +0000
Received: from cas01.contoso.com (192.168.1.1) by
mbx01.contoso.com (192.168.1.2) with Microsoft SMTP Server (TLS) id
15.0.913.22; Fri, 8 Jan 2016 09:51:22 +0000
Received: from smarthost.contoso.com (192.168.1.50) by
cas01.contoso.com (192.168.1.1) with Microsoft SMTP Server (TLS) id
15.0.913.22 via Frontend Transport; Fri, 8 Jan 2016 09:51:20 +0000
Received: from 1aHThX-0000QK-5p by smarthost.contoso.com with hostsite:113836 (Exim 4.85)
(envelope-from <rick.mehew@gmail.com>)
id 1aHThY-0000f7-4u
for mark.gossa@contoso.com; Fri, 08 Jan 2016 01:51:20 -0800
Received: by emcmailer; Fri, 08 Jan 2016 01:51:20 -0800
Received: from mail-ob0-f195.google.com ([209.85.214.195])
by smarthost.contoso.com with esmtps (TLSv1.2:AES128-GCM-SHA256:128)
(Exim 4.85)
(envelope-from <rick.mehew@gmail.com>)
id 1aHThX-0000QK-5p
for mark.gossa@contoso.com; Fri, 08 Jan 2016 01:51:19 -0800
Received: by mail-ob0-f195.google.com with SMTP id tr5so23393497obc.2
for <mark.gossa@contoso.com>; Fri, 08 Jan 2016 01:51:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=6KPf6Dnh4k/Oq4tImujWszq8R/7c+n/ju6akkiUsMKs=;
b=brF0jp3bNKUccBdSkGNdbWlwO9aoTeBYVjWsjrPHorF0WUnrTunlVUt7ZS1v/o5jqK
QuO10or1hdfiRgR7OGrRhto4ZUe46uuFgy9Sd9IUFGmusEItqDwIt44u3JQudSwCcfa4
uqPXXTD7HExQTfuJlgvtVYOeDGKljgGAdKQmW1oW+LlB/tt39Hiig41M6Iok3gyGlPsZ
d49l1smiDispYz0s+bfbu403Nankn50cSCIzLFvwGbAfAU8wG744D1TVhCdwy48H8V9+
Di9uHmr0KezhVSZG0xUYD+kw/IVAwHSqkKK5c/Iw2EWy70zp9Bpac3KTh5Dlb1mOQ2xr
XoBA==
MIME-Version: 1.0
X-Received: by 10.60.95.131 with SMTP id dk3mr83764828oeb.78.1452246673512;
Fri, 08 Jan 2016 01:51:13 -0800 (PST)
Received: by 10.202.210.20 with HTTP; Fri, 8 Jan 2016 01:51:13 -0800 (PST)
Date: Fri, 8 Jan 2016 10:51:13 +0100
Message-ID: <CAB7gfbi8ExvkEjtFU_c=rbJrFbFFxaPAECrg_+xGNd1YBCQE8Q@mail.gmail.com>
Subject: Afternoon meeting
From: Rick Mehew <rick.mehew@gmail.com>
To: <mark.gossa@contoso.com>
Content-Type: multipart/alternative; boundary=”089e0122867c19f5720528cf8707″
Received-SPF: SoftFail (mbx01.contoso.com: domain of transitioning
rick.mehew@gmail.com discourages use of 192.168.1.50 as permitted sender)
Received-SPF: pass (smarthost.contoso.com: domain of gmail.com designates 209.85.214.195 as permitted sender) client-ip=209.85.214.195; envelope-from=rick.mehew@gmail.com; helo=mail-ob0-f195.google.com;
X-FM-OS: Linux 2.2.x-3.x
X-FM-GeoIP: US
X-Origin-IP: 209.85.214.195
X-Env-From: rick.mehew@gmail.com
X-PolicySMART: 4760852
X-SPAM-Status: NO, 0.0 / 4.0
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
Return-Path: rick.mehew@gmail.com
X-MS-Exchange-Organization-PRD: gmail.com
X-MS-Exchange-Organization-SenderIdResult: Pass
X-MS-Exchange-Organization-Network-Message-Id: 29da57e2-9e05-4bab-52ff-08d318114787
X-EXCLAIMER-MD-CONFIG: 61102a45-deb9-493a-9a01-082f19bb638a
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: cas01.contoso.com
X-MS-Exchange-Organization-AuthAs: Anonymous
For more information about the Search-Mailbox cmdlet, see here.
In OWA, here we can see the email address clearly is not from someone within the organization, domain.com:
How to block spoofed email
Now, let’s look at how we can prevent these type of email. Let’s look at whether we can block it using normal methods:
Sender ID Filtering
We cannot use Sender ID filtering because the email is sent from Gmail using mail-ob0-f195.google.com (209.85.214.195) and this address is listed as a permitted sender.
Reverse DNS checks
There is a valid PTR record for 209.85.214.195 which resolves to mail-ob0-f195.google.com and there’s also a valid A record mail-ob0-f195.google.com which resolves to 209.85.214.195. Reverse DNS checks out. For more information about reverse DNS, see here.
DKIM
The email has a valid DKIM signature.
IP blacklist
The IP 209.85.214.195 is not on any blacklist.
Content filtering
Content filtering cannot be used as there are no specific words that we can look for to identify this email.
As this email has in fact come from a valid gmail SMTP server which makes it hard to block.
Transport rule
The way to get Exchange to recognize this email is to set up a custom transport rule which we can use to identify the email and perform any action on it. To identify the display name in the email, we need to set up our transport rule conditions to include emails which have “Rick Mehew” in the email’s “From” header and only email from senders outside the organization so it doesn’t affect the internal email delivery for Rick Mehew.
Note that if Rick Mehew has an external account (i.e. a personal email account which is not part of the Exchange organization) then you’ll need to add this email address as an exception to the rule so it is not marked as spam.
In this example we are prepending the subject line of the email with SPAM to notify users:
Now when we get emails from rick.mehew@gmail.com, they will appear as below with “SPAM” prepended to the subject to inform users:
This should help you out with this type of issue. All the best!