Recently some of our users received emails pretending coming from the admin account, the FROM header was modified to look like it was sent from the admin account, but looking into the source of the email we found that the return-path contains the real sender which is from a different domain.
How can we check the FROM and RETURN-PATH header to see if the domain is the same then accept the mail, if the domain is different discard the email?
Regards.Return-Path: <tal.ros@mathazzar.com> <------------------------------------------------------------------------ This is the real spammer
Received: from mail.ourdomain.com (LHLO mail.ourdomain.com)
(10.10.1.10) by mail.ourdomain.com with LMTP; Wed, 9 Nov 2022 03:29:21
+0100 (CET)
Received: from localhost (localhost [127.0.0.1])
by mail.ourdomain.com (Postfix) with ESMTP id EB39A81C63F83
for <support@ourdomain.com>; Wed, 9 Nov 2022 03:29:20 +0100 (CET)
X-Virus-Scanned: amavisd-new at ourdomain.com
X-Spam-Flag: NO
X-Spam-Score: 3.272
X-Spam-Level: ***
X-Spam-Status: No, score=3.272 required=6.4 tests=[BAYES_50=0.8,
CUSTOM_LOOKUP_17=0.5, CUSTOM_LOOKUP_18=0.5, CUSTOM_LOOKUP_2=0.5,
HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TO_IN_SUBJ=0.1,
T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001,
URIBL_PH_SURBL=0.61] autolearn=no autolearn_force=no
Received: from mail.ourdomain.com ([127.0.0.1])
by localhost (mail.ourdomain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id W1Wo86rSak02 for <safinez.gacem@ourdomain.com>;
Wed, 9 Nov 2022 03:29:17 +0100 (CET)
Received: from ofwaqqsj.mathazzar.com (ofwaqqsj.mathazzar.com [92.52.217.146]) <------------------------- This is the real server
by mail.ourdomain.com (Postfix) with ESMTPS id E75608001ECFB
for <support@ourdomain.com>; Wed, 9 Nov 2022 03:29:16 +0100 (CET)
From: ourdomain.com <admin@ourdomain.com> <------------------------------------------------- This is the fraudulent and modified From header
To: support@ourdomain.com <----------------------------------------------------------------------------- This is our targeted local user
Subject: support@ourdomain.com Pending mails Error
Date: 8 Nov 2022 18:30:37 -0800