Reflexion KBA's:
Reflexion "Spoofing Prevention" option
Posted by , Last modified by on 21 June 2017 02:16 PM

Reflexion's Spoofing Prevention option checks the Addresses listed in the headers of the message to determine if the inbound message is spoofed:

If either the Display address (From-address in Outlook) or the X-Sender address (Sender field in Reflexion Reports) claims to be from the domain receiving the mail, we will fail the incoming message.  This option does NOT check the domain's SPF record, OR the Username field in a piece of mail.  The block can be avoided by adding the X-sender to the Allow List, or by adding the sending IP to the IP Filtering good list.

Example of a message we would block:
From: []
to: []
X-sender: abc@phishco.spm

Example of a message we would NOT block:
From: Max McElroy [abc@phishco.spm]
To: Max McElroy [
X-Sender: abc@phishco.spm

In the second example, the Username field of the message is copying the name of a user, but the Reflexion system only checks the email addresses that are listed within the headers, in this case the abc@phishco.spm address.  Since this @phishco address is not listed in our Enterprise, we would not see this as a spoofed message.
There are ways to combat these Username field spoofs however, which are outlined in the below Technet article:

(150 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).