Solved: Have you noticed the Forced

Michael Bale · ‎03-02-2017

What are the recommended content filters to setup for responding to SPF?

Ken Stieers · ‎03-02-2017

You CAN tell the box to just drop those that fail (its buried in the CLI somewhere), but that's rather draconian.

We quarantine the ones that Fail (eg the IP is NOT in the SPF record) to a policy quarantine, and let the those that soft fail (can't reach dns, etc) through. Or add the right header and it will go to the user quarantine (X-Ironport-Quarantine)

We generally don't release those to the user... instead we give the user a message to send on saying "fix your darn spf record"... with a link to an spf checker.

View solution in original post

Ken Stieers · ‎03-02-2017

You CAN tell the box to just drop those that fail (its buried in the CLI somewhere), but that's rather draconian.

We quarantine the ones that Fail (eg the IP is NOT in the SPF record) to a policy quarantine, and let the those that soft fail (can't reach dns, etc) through. Or add the right header and it will go to the user quarantine (X-Ironport-Quarantine)

We generally don't release those to the user... instead we give the user a message to send on saying "fix your darn spf record"... with a link to an spf checker.

Michael Bale · ‎03-02-2017

You manually give your internal user the message to send to the sender rather than using an auto response via content filter right?

So you send fail -> policy quarantine, and send softfail -> user quarantine?

Do you make any other content filters for SPF?
Have you noticed any spoofed emails for your domain getting through with these policies?

Ken Stieers · ‎03-02-2017

Yeah... if they call "I didn't get a message that I need from the bank" , we reply " The bank tells us that message is spam, here's the proof. Have them call me if they don't like it", with the spf lookup from DnsStuff.com...

No just full fails... we don't see softfails for whatever reason.

No other spf content filters

We DO use this to protect our domain as well (eg mail coming in that purports to be from us), and no we have no issues with that sort of spoofing getting in.

We've had some spear-phishing get in, but we're using Forged Email Detection (messages that look like the come from "Ken Stiers" get flagged) and have our users going through classes/education using KnowBe4, and they've gotten good at recognizing the bad actors.

Michael Bale · ‎03-02-2017

You using the Forced Email Detection content filter? What are you using for a content dictionary if you are?

Ken Stieers · ‎03-02-2017

I just created a dictionary with a list of the names of our executives and IT.

Michael Bale · ‎03-02-2017

Have you noticed the Forced Email Detection used much even with SPF enabled?

Ken Stieers · ‎03-02-2017

Yes.

We're seeing mail with an envelope sender of random@gmail.com, and the From: header (which is what users see in Outlook) of "Ken Stieers". But the mail REALLY did come from Gmail, so SPF is all good. So the user THINKS its from me, because they don't see the email address.

FED fires if the From address is sufficiently like a name in the list. Its default action is to put the Envelope Sender in the From header, so the user sees the address, and we prepend the subject with [possibly forged]

Ken

Michael Bale · ‎03-02-2017

How does FED differentiate legitimately from "Ken Stieers" and forged? Do you have many times it blocks legitimate messages from C-Level executives?

How does it handle using personal email addresses (that may use their name and gmail but are legitimate).

Ken Stieers · ‎03-02-2017

That's one of the reasons we don't block, just prepend...

I thing there's a check if the envelope sender and from header match?? but I can't remember off the top of my head...

Michael Bale · ‎03-02-2017

Ken, thanks a lot for your help.

Michael Bale · ‎03-02-2017

What are you using for your mail flow policy default?

I have it setup as:

SIDF Compatible

Downgrade PRA: Yes

Helo Test: No

Ken Stieers · ‎03-02-2017

Conformance: SPF

Helo test: On

Libin Varghese · ‎03-02-2017

Hi Michael,

I do not think there is a recommended filter that works for all as it comes down to the requirement of the receiving organization.

The simplest filter condition would be spf-status == fail

This can be modified to take action on other status as well:

The first term in the header's value is the ultimate verdict rendered, and will be one of the following seven values:

       1. None - no verification can be performed due to the lack of information.
       2. Pass - the client is authorized to inject mail with the given identity.
       3. Neutral - the domain owner does not assert whether the client is authorized to use the given identity.
       4. SoftFail - the domain owner believes the host is not authorized to use the given identity but is not willing to make that strong of a statement.
       5. Fail - the client is not authorized to inject mail with the given identity.
       6. TempError - a transient error occurred during verification.
       7. PermError - a permanent error occurred during verification.

Content filters can be written to act upon the values above as the customer desires.

Thank You!

Libin Varghese

Michael Bale · ‎03-02-2017

What type of false positives can I expect if I end user quarantine soft fails? Hard fails I plan on using policy quarantine. Is it common to quarantine softfail or let them go untouched?

Should we make a content filter for any of the other statuses or leave them be?

Recommended SPF Content Filters