0

On occasion, a company receives eMail with two header fields (“Received” and “From”) containing data that contradict each other drastically. Should they not expect their anti-spam system to flag or block items with contradictions in these fields?

For example, they received an eMail which contained [almost exactly] these two headers:

Received: from [107.52.51.26] by web315204.mail.ne1.yahoo.com via HTTP; Mon,28 Oct 2013 04:28:04 PDT

From: Barry Smith smithbsure@att.net>

Obviously, eMail from an @att.net address isn’t coming from a server on the domain yahoo.com, and Yahoo isn’t forwarding AT&T’s eMail. There were no other headers indicating that the item was sent “OnBehalfOf”, or “Forwarded-by”, or “By_Proxy” or any other such.

Should I write a utility to scan incoming eMail for such conflicts, or look more closely at their spam filtering to block this kind of eMail? Their eMail system is Hosted Exchange on MS-365. My central question is, where specifically do I look in MS-365 to get this type of conflicted eMail blocked?

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
John Langstaff
  • 547
  • 3
  • 10

1 Answers1

1

Obviously, eMail from an @att.net address isn’t coming from a server on the domain yahoo.com

While that MIGHT be true in this instance, it isn't true for a lot of email.

For instance, you might have a RECEIVED header that says something like:

Received: from [107.52.51.26] by exchange01.domain.local via HTTP; Mon,28 Oct 2013 04:28:04 PDT

and a FROM header like:

From: Barry Smith smith@domain.com>

The actual server sending (in the Received header) may not be representative of the sender's domain. It might be a mail server that hosts MANY domains or it could be the last leg of an email's path (for instance being routed through a SaaS antivirus/antispam service before delivery).

What you are really after is SPF records for the domain. That is how to look for spam in this instance. They will correspond and tell you whether an email that is coming from bob@domain.com should have come from webmailserver004.sillygoose.net or not.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Specifically, where I am finding in MS-365 a way to get this type of conflicted eMail blocked is in "Exchange admin center", "protection", "content filter", "Advanced spam filtering options", "Conditional Sender ID filtering". – John Langstaff Oct 31 '13 at 20:54
  • 'Turns out Yahoo does now provide eMail server service for AT&T. – John Langstaff Nov 02 '13 at 11:10