Antispoofing does not work when spoofing MIME address
We have received several very hard to spot spoofed addresses that get through the Antispoofing filter but show up in Outlook as a local account because the MIME information is using the internal domain. Antispoofing should be looking at not just the SMTP headers but also any MIME information and have the ability to block/mark/etc any emails with a spoofed domain in the MIME From information.
This feature is released.
Please upgrade to the latest version v21.5 and install all Patches. https://upgrades.gfi.com
It is available as part of the header Checking Anti-Spam module.
Miguel Kingsley commented
Hola, por favor me puede especificar como dice exactamente la opción a seleccionar?
"No new build is available."
What version/build is this feature released in?
No new build available. What version/build is this released in?
"Please upgrade to the latest version"?
I am running Version:21.4 Build:20180913 and when I check for updates "No new build is available".
How do we get this?
Anthony Hurley commented
As per previous comments, these type of email occur on a regular basis which in turn increases the number of support calls to our internal helpdesk. Although these email an easy to spot the nature of the content causes enough concern to the end user to report these thus wasting time. Therefore a filter to stop these is needed ASAP.
Philip Sung commented
Please add this feature, its kind of pointless to have anti-spoof feature that only check smtp and not mime. It makes the admin thinks we are protected against spoof emails only for the users to get them.
Patrick Hardy commented
We need this feature asap. Much pressure from customers to stop this plague. Barracuda stops this easily and we need a solution or GFI will be gone for all our customers soon.
Adrian Drob commented
In my company we receive daily this kind of mails and the users think that are send from the address in MIME as shown in Outlook. Many of them are forwarded to IT dep. but some also are sent to payment dep. or contains infected attachments, and this is very annoying . We cannot enable SPF because we have some collaborators that for some reasons have misconfigured their email servers, better receive some spam than miss important mails. As Sascha Huck said, there should be an option that compare MIME FROM and SMTP FROM this should solve the problem. Thanks.
Mike Adam commented
>Is SPF configured on your domain and also do you have SPF checking enabled?
Yes, SPF only checks on SMTP FROm not MIME FROM.
Please take care about this soon, these are the spoofing mails GFI ME can't block technincaly and the users do not recognize these mails as SPAM
Alan Brito commented
SPF also works at SMTP level so in this case the proposed workaround does not solve the issue
Is SPF configured on your domain and also do you have SPF checking enabled?
Scott Goodman commented
Definitely need a solution. We are getting CEO fraud emails daily.
Sascha Huck commented
Very helpful would be an option to compare MIME FROM and SMTP FROM, similar to the option you already have with MIME TO/SMTP TO in the Header checking section.
MS Services commented
this issue is very critical and should be addressed !
Vagios Posotidis commented
This Feature is very important for us too.
We have big problem with spam mails like this!!
Vagios Posotidis commented
We are very disappointed for the lack of this feature.Please act asap!
Ben Rheault commented
We are getting hammered by spoofed MIME From addresses
Steve Hodges commented
GFI Is a premier software package.... Not having this feature is a serious downgrade and disadvantage to this email solution. If it is true that this lack of feature has been know since 2015 - it really is hard to understand why it has not been implemented or already. Come on GFI design and management team... Do something about this and fix it. With the way things are now, this feature really should be a baseline program feature. Don't let your customers and your software suffer... remember - we as customers use your software because it works and works well and has the futures we need... HOWEVER... when it no longer provides the protection we need... we will look and go elsewhere...
Frank Vilece commented
This is a very important and basic feature and should be acted upon immediately. I can't believe this feature has not been implemented. It was pointed out in 2015! Why in the world would GFI only concern itself with return path when the user will see the MIME FROM? We have clients failing Spoof testing and being advised by security consultants to rectify this ASAP, and so far GFI has not been able to solve this the way it should!
Simon Atkin commented
Also note previous "workarounds" involving white and blacklisting internal domains are not acceptable, both because that functionality has been removed by GFI anyway for local domains, and even if it hadn't, there are no exceptions based on e.g. SPF or antispoofing authorized IPs.