In Anti-Spam, Expression-check everything after DATA or include From
Currently, only the Subject field and the content of the email is checked. Well before V8, maybe in V6, we could add the email address of a departed employee to 'Expressions' to force emails to that person into quarantine.
In most organizations, emails within the organization won't transit the SMTP Proxy. An additional benefit would be that adding the domain would prevent outside emailers from spoofing an internal user in the From field. There is otherwise no mechanism to catch something like the following example that demonstrates a spoof of the company president ordering the treasurer to wire money:
telnet mail.ourdomain.com 25
From: John Madison <firstname.lastname@example.org>
Subject: Urgent purchase - please wire
Jim, I found a real opportunity, please wire $5000 (five thousand) immediately to account #123456789 routing code 123456789 SWIFT Code CITYUS77
I Would like this feature too.
Perhaps somethin glike "internal domain" would help.
increase network security
I have this same issue. We have all the email anti-spam Features on our SG430 enabled, but still the messages get through. I just learned that the Sophos Email Appliance can be configured to scan entire messages for expressions- it's simply a feature not included in my SG "FullGuard" subscription.
Is this really how Sophos wants it to be? A customer licensed with a full-featured UTM product has to look to add another email protection appliance layer?
Got that same problem today. Is this so complicated to implement? I can't imagine. Thanks and keep up the good work!
Alphonso Samano commented
Also having the spoofing problem due to the FROM: vs ENVELOPE-FROM:
We have SPF set up correctly and working, but when the P2 header is spoofed from our domain, the UTM lets the email through without any issue. Please address this.
Computer Support commented
Please add this feature on the next UTM 9 update. We've been getting hit by several emails with the From field spoofed.
Please Fix This, been so critical issue
Martin Stein Frederiksen commented
Please fix this, we are seeing many forged mails with changed envelope set, and customers have SPF and BATV setup but they just pass through!
just add ASSP behind it and all your spoofing issues are solved....
I just created a thread in the community (https://community.sophos.com/products/unified-threat-management/f/56/t/75380) about this same issue because my keyword searches did not find this suggestion thread before I posted!
I can't believe there is currently no way to filter based on strings in the headers. Also, I read there is a size limit on the amount of data that is scanned in the message body so some emails will not be filtered even though you have the proper expressions listed in the Expression Filter.
I voted... Fix this please.
I was able to sucessfully solve this problem for an Exchange Server 2010 SP3 with the information on this site:
We had the same issue. I hope a function to prevent this will be implemented soon. In the meantime I have to find another solution for this.
Bill Bixby commented
An option not to overwrite the "From:" header would probably be easiest.