Alert: Self Trusted


Type: Security


Text in alerts email:  


Case #1

User exampleuser@localdomain.com is trusting all emails from exampleuser@localdomain.com


Case #2

User exampleuser@localdomain.com is trusting all emails from anotheruser@localdomain.com



Why is self-trusting a bad thing?


Simple, people who send phishing emails will often impersonate people in the company either through the friendly name part or by simply impersonating your own domain.  

Note that SPF doesn't protect you necessarily because SPF is meant for the SMTP transaction MAIL FROM statement and not the header FROM.  An attacker could simply put an SMTP MAIL FROM of a domain that has a proper SPF record but put FROM: exampleuser@localdomain.com in the header from.


If say, jimbob@localdomain.com is trusting his own email address, it means anybody can send him an Email with FROM: jimbob@localdomain.com in the from field.  So it's pretty important NOT to self-whitelist.  


Proofpoint no longer allows end-users to self-trust however this interdiction was only put in place in late 2020 ... so anybody with a trusted list that pre-dates that may have self-trusting entries.



There are two cases possible:


Self-trusting (bad) and trusting someone else in the organization (not as bad but still bad).




How do I clean those up?


You can use the vircomportal self-trusted cleanup. (link)