Tricky Sender A custom filter

On December 05, 2017, Sabri Haddouche published an article on explaining how to craft emails that can easily forge the sender's identity. He found bugs in 33 different products, including the popular ones from Microsoft, Apple, and Mozilla.

There are some important points to note regarding this discovery:

  • The actual forgery is embedded in the FROM header of the actual message
  • It can be sent containing a valid DKIM signature and can also originate from a designated IP. This means neither SPF, DKIM or DMARC will fail
  • Most email servers will not know/care about this mechanism since the MAIL FROM in the envelope is not forged

What can you do

Although it can take some time before every client is updated, you can certainly block these messages from getting into your network by using the latest version of Xeams. The exact build number containing this fix is 5968.

How to confirm if the fix is working

Sabri is kind enough to not only point out the problem but also created a demo to test it. You can generate 14 emails containing different variations of the problem. Xeams should be able to catch them and assign a score.