On occasion, a company receives eMail with two header fields (“Received” and “From”) containing data that contradict each other drastically. Should they not expect their anti-spam system to flag or block items with contradictions in these fields?
For example, they received an eMail which contained [almost exactly] these two headers:
Received: from [107.52.51.26] by web315204.mail.ne1.yahoo.com via HTTP; Mon,28 Oct 2013 04:28:04 PDT
From: Barry Smith [email protected]>
Obviously, eMail from an @att.net address isn’t coming from a server on the domain yahoo.com, and Yahoo isn’t forwarding AT&T’s eMail. There were no other headers indicating that the item was sent “OnBehalfOf”, or “Forwarded-by”, or “By_Proxy” or any other such.
Should I write a utility to scan incoming eMail for such conflicts, or look more closely at their spam filtering to block this kind of eMail? Their eMail system is Hosted Exchange on MS-365. My central question is, where specifically do I look in MS-365 to get this type of conflicted eMail blocked?
While that MIGHT be true in this instance, it isn't true for a lot of email.
For instance, you might have a
RECEIVEDheader that says something like:Received: from [107.52.51.26] by exchange01.domain.local via HTTP; Mon,28 Oct 2013 04:28:04 PDT
and a
FROMheader like:From: Barry Smith [email protected]>
The actual server sending (in the Received header) may not be representative of the sender's domain. It might be a mail server that hosts MANY domains or it could be the last leg of an email's path (for instance being routed through a SaaS antivirus/antispam service before delivery).
What you are really after is SPF records for the domain. That is how to look for spam in this instance. They will correspond and tell you whether an email that is coming from [email protected] should have come from webmailserver004.sillygoose.net or not.