Hai! I dont understand why they would match your spf record either. Are they sended out by a IP adres you 'approved' ??
Thanks, Raymond Dijkxhoorn > Op 28 jun. 2016 om 03:27 heeft jdebert <jdeb...@garlic.com> het volgende > geschreven: > > On Mon, 27 Jun 2016 18:41:04 +0530 > Ram <r...@netcore.co.in> wrote: > >> I am seeing messages that appear to come from the MD or the CEO of >> the company to the accounts department asking people to transfer >> money to some fake account >> >> These messages were initially few and I ignored. But now this has >> become a problem. >> I know these are not spam messages so catching them will be out of >> scope for a spam filter. >> >> These messages have different envelope ids so SPF checks always pass. >> The header from is properly formatted exactly how it will be in a >> normal mail >> >> What measures do you take for such spear phishing >> >> Thanks >> Ram > > You're not using the proper tools. you cannot expect spamassassin to > magically prevent all such messages. Just because spamassassin or any > other filter passes such a message does not mean it is valid. To use > spamassassin and filters to block such messages gives a false sense > of security and leads to false assumptions of authenticity. Your company > must enforce strict AP controls to prevent payouts based on such > messages and the controls must apply to everyone, including the CEO. Those > are the proper tools. > > Given that these messages are appearing more frequently, it may be that > some have already been successful. I suggest you consider an AP audit > to ensure that this is not the case >