questions about spoofs

Hello Jiri,

Thank you for contacting the Sophos Community!

If you check the email headers are you seeing the header from Sophos Central?

Regards,

Yes, all go through sophos server (looked at email headers)

Interestingly enough, sophos forums notification (of this thread) did not include smart banner neither (we did not add sophos.com to approved list), attached is sophos forum notification email (tried to copy paste it as code but got flagged for spam)

https://www.dropbox.com/s/ozfuds8b0x6m5no/email.txt?dl=0

Hello Jiri,

Emails coming from sophos.com will not get the banner this is by design.

Regards,

That's very strange behavior honestly, sophos forum notifications bypass basic setting of the email gateway platform? Why? Banner are simple green-yellow-red. Showing "nothing" is simply not a good way to teach users what to watch for. It is external email not coming from our domain, it should be flagged. Btw Sophos forum emails don't even use DKIM 

Authentication-Results: mx-01-us-west-2.prod.hydra.sophos.com; spf=pass smtp.mailfrom=noreply@mail.community.sophos.com; dkim=none;

if you run tests on https://emailspooftest.com you get similar "no banner" behavior and on top you get emails through which should be flagged as spam E9 and E10

honestly this seems like a bug, not a feature to me

I just opened my inbox

- there are some emails with no banner from random outside domains (some even flagged as bulk)

- emails from haveibeenpwned.com have green banner though they clearly impersonate our domain, the email came with striped dkim though our domain clearly says it must use sophos dkim, I am also very unsure how sophos makes sure outgoing emails are truly coming from us, there is no real auth between google email server and sophos gateway (blind trust i guess)

I just opened my inbox

- there are some emails with no banner from random outside domains (some even flagged as bulk)

- emails from haveibeenpwned.com have green banner though they clearly impersonate our domain, the email came with striped dkim though our domain clearly says it must use sophos dkim, I am also very unsure how sophos makes sure outgoing emails are truly coming from us, there is no real auth between google email server and sophos gateway (blind trust i guess)

Hello Jiri,

I would recommend you to open a case with Support to get those emails without banner investigated as well as the impersonation.

Also, take a look at this KB for questions about banners.

Regards,