Forged PRA Header

ardiii_890 · ‎12-03-2015

A faked email has been received to our domain by forging the SPF PRA

header. From logs we see that Pra Identity is an internal email account.

How to solve this problem and block emails that forge the SPF PRA

header to a valid internal account of our domain.

The SFP Conformance Level is set to SIDF Compatible and Downgrade PRA verification result if 'Resent-Sender:' or 'Resent-From:' were used: is set to YES

Helo test is set to NO

grozairo · ‎12-14-2015

Hi,

I've received a similar issue with the mailfrom identity different from the pra identity which used an internal identity. Our SFP Conformance level is the same as yours for our default mail policy.

Have you been able to resolve this problem ? Thanks.

ardiii_890 · ‎12-15-2015

HI Grozario,

Add Spf2 record in your public DNS.

For example for your domain cnv.org you have only SP1 record (v=spf1 ip4:69.196.67.161 ip4:208.98.201.111 ~all)

Tell your public DNS which stores MX records to add SPF2 record:

v=spf2.0/pra ip4:69.196.67.161 ip4:208.98.201.111 ~all

After that add a Content Filter that makes a SPF Verification with status spf-status == "fail" or spf-status == "permerror" and add emails found to quarantine or delete them.

However I am not able to test this procedure as I am not able to replicate the case. Do you know how to simulate this case, how to modify PRA header in order to test the validity of the changes?

grozairo · ‎12-16-2015

Hi Ardii_890,

Thanks for the quick response. I've read about Sender ID and SPF2 however, our Cisco ESA should reject incoming email that has a discrepancy between the SPF mailfrom & SPF pra. especially when the SPF pra is an internal address. Based on RFC 4407 the pra is created if you send an email through a list server or some news web sites where you email an article to someone. The site will then send the email with its own email address and your email address as a pra. This might be a way of testing your setup?

I'm hoping to upgrade to the latest OS on our ESA which hopefully fix the issue.

ardiii_890 · ‎12-17-2015

Hi Grozairo,

You are right, at least IronPort should give a method for comparing SPF and SFP/pra headers (filter or content filter) and its up to you that decide whether or not to block differences between two headers.

News Websites do not modify the Pra Header (those I know). They add on behalf of at from header. I think this has to do with some smtp injections during smtp helo conversation or some other stuff.

one51support · ‎12-18-2015

Hi,

We have the same issue and there are two solutions that I am aware of.

1) Enable DMARC along with your SPF. DMARC is designed to check the other headers (Display From) and check for authorized sending servers. It should rectify this.

2) This is the current method we are using and it seems to be working.

It involves setting up a dictionary containing your Companies Domains. This will be the list that is compared to the incoming email addresses (includes the PRA headers) and if the domain is in the list then it will be quarantined.

You will need to add the other servers that might send on your behalf (if you have a cloud archiving tool, website, newsletter etc) to the WHITELIST/Relaylist under the HAT table.

Here is what I did

* Setup "Internal_Domains_Quarantine" Quarantines on both devices (cluster)

* Setup a dictionary called "Internal_Domains" and added all of our Internal domains. NOTE you should end the domains with $, ie domain.com should be domain.com$ to ensure the domain.com is at the end of the address....this ensures that the emails bouncexxxxjohn.smith=domain.com@senderdomain.com aren't held (as some MTA's use this to stop invalid bounces).

* Add the extra servers to the Relay or Whitelist. For example I would have added 199.202.66.0/24 to the "Relaylist" as we have a cloud archiving solution which sends on our behalf and we dont want these to be stopped.

* Log into the CLI (has to be done through CLI) - Just SSH to your Box.

- Login with an admin account

- Type "filters"

- [You may have to switch to cluster mode. If so pick option 1]

- Type "NEW"

- Paste in the following

Quarantine_Spoofed: if

((mail-from-dictionary-match("Internal_Domains", 1)) OR

(header-dictionary-match("Internal_Domains","From", 1))) AND ((sendergroup !=

"RELAYLIST") AND (sendergroup != "WHITELIST")) {

quarantine("Internal_Domains_Quarantine");

}

.

[Note the "." finishes and should bring you back to the prompt]

- You will need to commit the changes so go back to the main prompt and type "commit" .

As this is probably a live environment it might be a good call to test this on a test or low volume domain and see if it responds as expected.

It is also a good call to keep checking the Quarantine and make sure no valid emails are being caught from say newsletters etc.

You can add a notification piece to notify the user/yourself etc if you like.

If you run into trouble, Login to the CLI again, Type "filters" , go to cluster [1], type "Delete" and select the filter you want to remove.

Then commit the changes and that filter should be removed.

Hope that helps.

grozairo · ‎12-18-2015

one51support,

Thanks for the solutions I will give these a try.

ardiii_890 · ‎12-20-2015

Hi one51support,

Thanks for your email. I looked at the solution you provided. The filter looks at "From" header (header-dictionary-match("Internal_Domains","From"). What if pra header is modified. Is the script working with forged pra headers? Is such of these emails quarantined by the script.

Regards.

one51support · ‎12-23-2015

Yeah it should work with both (including pra headers).