Wednesday, 20 January 2016

Block spoofed email - Part 2 | Exchange 2010 - 2016

Introduction


In part 1, I demonstrated how to set up Exchange to block spoofed email where the sending domain has a valid SPF record using the -all mechanism (HardFail).

So, what happens when you want to block or identify SoftFails also? I’ll show you how to do this in these instructions.

First, make sure that you have gone through at least these steps from part 1 before continuing:
  • Create an SPF record for your domain configured with a hard fail
  • Configure the InternalSMTPServers property on your transport servers
  • Install the Anti-Spam agents on Exchange
Now that you've done that, we can continue. We’ll break these instructions down into three steps:
  • SPF results in message headers (how to identify SPF SoftFails)
  • How to block or mark an SPF soft fail email in Exchange 2010
  • How to block or mark an SPF soft fail email in Exchange 2013 or 2016

SPF results in message headers (how to identify SPF SoftFails)


Here’s an example of a junk email that made it through the SenderID check that we configured in part 1 because it was not actually an SPF HardFail:

Received: from direct-soho-210-158-67.cbn.net.id (210.210.158.67) by
svr01.domain.co.uk (192.168.0.8) with Microsoft SMTP Server id 14.3.224.2;
Wed, 13 Jan 2016 11:36:02 +0000
From: Avril Sparrowhawk <Avril.Sparrowhawk@lescaves.co.uk>
To: "mark@domain.co.uk" <mark@domain.co.uk>
Subject: CWIH8974 PAYMENT RECEIVED
Date: Wed, 13 Jan 2016 18:36:18 +0700
Message-ID: <57B2F503302A134BB06611F503C0E502143C82B4@domain.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.0.0.89]
Content-Type: multipart/mixed;
    boundary="_006_57B2F503302A134BB06611F503C0E502143C82B4LCDPMAIL2lescav_"

X-Original-To: accounts@trinityrestaurant.co.uk
X-Virus-Scanned: ClamAV using ClamSMTP
Return-Path: Avril.Sparrowhawk@lescaves.co.uk
MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: svr01.domain.co.uk
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: lescaves.co.uk
X-MS-Exchange-Organization-SenderIdResult: SoftFail
Received-SPF: SoftFail (svr01.domain.co.uk: domain of transitioning
Avril.Sparrowhawk@lescaves.co.uk discourages use of 210.210.158.67 as
permitted sender
)


As you can see from the message headers, this is a SoftFail. The reason we can't use the Exchange SenderID Transport Agent to block this as we did in part 1 is because it doesn't have an option to reject an SPF SoftFail like it can do for a HardFail.

So, we can’t use the SenderID agent but we can create an Exchange Transport Rule to review the message headers for us and look for SoftFail in the Received-SPF header. I’ll demonstrate how to create this rule in Exchange 2010 - 2016 below.

How to block or mark an SPF SoftFail email in Exchange 2010:


Open up the Exchange Management Console using an account that is a member of the Organization Management group and expand down to Organization Configuration > Hub Transport:

image

In the right hand pane, click on "New Transport Rule":

image

Give your new transport rule a name such as "SPF SoftFail" and click Next:

image

On the next screen, select “when the message header contains specific words”:

image

Click on “message header” in the bottom pane, enter “Received-SPF” and click OK:

image

Now, click on “specific words” in the bottom pane, enter “SoftFail”, click Add then click OK:

image

Also tick the option “from users that are inside or outside the organization” and select “Outside the organization”. You should now see that this transport rule applies to messages when the Received-SPF header contains SoftFail and the message is from a sender outside the organization to prevent actions being taken for internal email relayed from servers that don’t have an IP included on the SPF record for your domain:

image

Go ahead and click Next. You’re now prompted with a list of actions to choose to apply to the email. You can apply any action you like such as:
  • prepend message subject with string (to notify the recipient that this email could be potentially harmful)
  • forward the message to addresses for moderation (e.g. to forward to an Administrator to check the domain is valid and configure an exception for the domain if needed then approve the email for delivery to the end user)
  • redirect the message to addresses (e.g. forward to a spam mailbox)
  • send rejection message to sender with enhanced status code (reject the message with custom error)
I'll demonstrate how to prepend a string to the subject line and also how to reject the email. 

To prepend the message subject with the string “POTENTIAL SPAM (SPF SoftFail)” to notify users that they should be vigilant when opening this email, tick "prepend message subject with string" and enter your custom string in the bottom pane as below:

image

If you want to block the email the instead of prepend a string to the subject line then in the actions window, instead of selecting “prepend message subject with”, select “send rejection message to sender with enhanced status code”:

image

Create a rejection message such as “SPF SoftFail” and select an enhanced status code such as "5.7.1":

image

Once done, complete the wizard, selecting the defaults.

If you’ve chosen to prepend a string to the subject line then SPF SoftFail emails will be marked like this email:

image

How to block or mark an SPF SoftFail email in Exchange 2013 or 2016:


Log into the Exchange Admin Center using an admin account that is a member of the Organization Management group then click on mail flow then rules:

image

Click on the + icon then click on “Create a new rule” and provide a name for your new rule such as SPF SoftFail:

image

Click on “more options…” to make the message header options visible
Once done, click on the “Apply this rule if….” drop down, select “A message header…” then select “matches these text patterns” as below:

image

Click on “Enter text…” and enter Received-SPF then click OK:

image

Then click on “Enter text patterns…” and enter SoftFail then the + icon then click OK:

image

We need to ensure that this rule only applies to external senders so we need to add a conditiona that the senders are outside the organization. This prevents problems with printers or other servers that are relaying through Exchange without having their IPs on the SPF record (if you’re using an SPF SoftFail on your record). To do this, click on “add condition” and select “The sender…is external/internal”:

image

Select “Outside the organization” then click OK:

image

We can now select an action for the message. As with the Exchange 2010 instructions, I’ll demonstrate how to prepend a string to the message subject and also how to reject the email:

To prepend a string to the message subject, select “prepend the subject of the message with..” (funnily enough!) and enter the text you want to add to the beginning of the subject line such as “POTENTIAL SPAM (SPF SoftFail)” then click OK then Save:

image

If you want to rather reject this email then instead of selecting the action “prepend the subject of the message with…”, select “Block the message…reject the message with the explanation” and enter an explanation such as SPF SoftFail:

image

Once done, click Save. Your rule is now enabled.

Conclusion


In part 2, I’ve demonstrated how to block or notify the end user of emails that fail the SPF checks but cause a SoftFail rather than a HardFail.
In an upcoming post, I’ll show you how to only accept emails from particular domains if they pass the SPF check.

3 comments:

  1. Hi Mark,

    Your guide is very helpful, thanks for that.
    I only have one problem with a group of users.
    We use Exchange 2010 and use the "prepend message subject..." action. For that group of users the subject prepend does not show in the main pane. Only when they open the mail or in the reading pane it shows the renamed subject. You know where to look to solve this?

    Regards,
    Chris

    ReplyDelete
  2. Teckassist.us provides support for most of the email issues. Our technicians are well trained to identify the issue/s and provide support accordingly. Some of the issues may require remote access of the computer. So give us a call on +1-888-511-0014 and let us take care of all your email related problems.

    ReplyDelete
  3. I assume I can use this method to unblock 'SoftFail' emails as well? Our Exchange 2010 blocks some legit emails with 'SoftFail'

    ReplyDelete