Tricky Sender A custom filter
On December 05, 2017, Sabri Haddouche published an article on
explaining how to craft emails
that can easily forge the sender's identity. He found bugs in 33 different products, including the popular ones from Microsoft, Apple, and Mozilla.
There are some important points to note regarding this discovery:
- The actual forgery is embedded in the FROM header of the actual message
- It can be sent containing a valid DKIM signature and can also originate from a designated IP. This means neither SPF, DKIM or DMARC will fail
- Most email servers will not know/care about this mechanism since the MAIL FROM in the envelope is not forged
What can you do
Although it can take some time before every client is updated, you can certainly block these messages from getting
into your network by using the latest version of Xeams. The exact build number containing this fix is 5968.
How to confirm if the fix is working
Sabri is kind enough to not only point out the problem but also created a demo to test it. You can generate
14 emails containing different variations of the problem. Xeams should be able to catch them and assign a score.