[Exchange] RE: Reject mail from 'similar' mail domains

[Kennedy, Jim]

To be clear, I was speaking of blocking the unknown domains with a WEB filter.  
Stop the click on that end, I am a huge proponent of that.

Also look at the source, are they using a common ISP. You could nuke that whole 
range. Also look to see if they are setting up proper DNS. If not you could 
block that.  I call it full circular dns. Many spam filters will check for it, 
I believe Exchange does it under Sender Reputation.

Connection from:   192.168.10.10
DNS for 192.168.10.10 =   mailout.phishdomain.com
mailout.phisdomain.com = 192.168.10.10

Most major ISP’s require this to send to them…so unlikely that you will nuke 
any legit email. And if you do, shame on the sending Admin.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Patrick Whiteside
Sent: Tuesday, July 28, 2015 10:25 AM
To: 'excha...@lists.myitforum.com'
Subject: [Exchange] RE: Reject mail from 'similar' mail domains

Spear Phishing. This is a targeted attack and the mails we’re seeing a 
purporting to come from legitimate internal users. Senior execs authorising 
bank transfers, that kind of thing.

Interesting point from both you and Kurt there on blocking unknown domains. Its 
not a feature I’ve seen but I’ll investigate with our mail filter host.

Interestingly they do support the ability to block sender domains either with a 
big list or by creating a regular expression so we can perhaps block there 
rather than the mail server. For the record we use Fuse Mail

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kennedy, Jim
Sent: 28 July 2015 15:14
To: 'excha...@lists.myitforum.com' 
<excha...@lists.myitforum.com<mailto:excha...@lists.myitforum.com>>
Subject: [Exchange] RE: Reject mail from 'similar' mail domains

Are these phising attacks?

You could also attack the problem via  good web filter….and block  ‘unknown’ 
domains and stop the user clicks.  If it is a new domain that the filter 
company has never seen it will be unknown and you can block on that category.  
But you have to be very careful, many filters are really bad on unknowns and 
their list of unknowns is too big.  Baracuda and IBoss are two that I know are 
good at this, I am sure there are others.  M86/Trustwave is not.

That doesn’t fix the emails in the inbox but would mitigate the risk.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Patrick Whiteside
Sent: Tuesday, July 28, 2015 6:57 AM
To: 'excha...@lists.myitforum.com'
Subject: [Exchange] Reject mail from 'similar' mail domains

We have a client who is under a fairly targeted attack and it doesn’t seem to 
be abating. They’ve asked us to see if we can help to limit their exposure.

One of the things that has proven to be most dangerous is the attacker 
controlling domains that are similar to their actual mail domain (and using 
this to spoof email).

We are in the process of occupying as many of the obvious additional domains as 
possible but due to the nature of the URL it’s quite susceptible to deliberate 
typos and letter transposition, at which point, with the 1000 odd TLD’s 
available, buying all the domains becomes a fairly significant outlay.

What I’m wondering is; is it possible to apply a filter in Exchange 2010 to 
inbound mail to reject email that matches a specific string/set of 
strings/regular expression? If so how?

Thanks,
Patrick




Patrick Whiteside | Senior Engineer

[cid:image001.jpg@01D0C920.7ADB1920]<http://>




T  |  0845 458 00 90


F  |  0870 421 59 24


W |  blue256.co.uk<http://blue256.co.uk/>




Head Office | Saxon House, Hellesdon Park Road, Norwich, NR6 5DR
This email is confidential and may well also be privileged. If you have 
received it in error you are on notice of its status. Please notify us 
immediately by reply email and then delete this message from your system. 
Please do not copy it or use it for any other purpose, or disclose its content 
to any other person. To do so could be a breach of confidentiality. All emails 
and any attachments are believed to be virus free, however, all emails should 
be virus checked before being downloaded and we accept no responsibility 
therefore. Please contact our offices on 0845 458 00 90 or email 
sa...@blue256.co.uk<mailto:> if you need assistance.



Blue256 Limited Registered Office: Saxon House, Hellesdon Park Road, Drayton 
High Road, Norwich NR6 5DR
Company Registration Number: 05015705
Company Registered in England and Wales