Posted by If you ever getting email spoofing that using email on display name like below
Please try below tips. I am using Zimbra and this is what i do
su - zimbra vi /opt/zimbra/conf/from_checks
Fill with the following line
/^From:(.*@)+(.*@)/ HOLD it looks like you are spam
Note : If you receive email that having @ in the display name, email will be hold and you will getting information “it looks like you are spam” in the log. You can change HOLD with another method like DISCARD or REJECT.
If you want to whitelist some domain that have @ in the displayname, you can add to the first line like below
/^From:(.*@imanudin.com)+(.*@imanudin.com)/ OK domain whitelist /^From:(.*@)+(.*@)/ HOLD it looks like you are spam
If you want to redirect an email to another email instead of hold, you can change it as follows
/^From:(.*@imanudin.com)+(.*@imanudin.com)/ OK domain whitelist /^From:(.*@)+(.*@)/ REDIRECT admin@yourdomain.com
Run the following command to add header check and restart postfix
zmprov ms `zmhostname` zimbraMtaHeaderChecks "pcre:/opt/zimbra/conf/postfix_header_checks,pcre:/opt/zimbra/conf/from_checks" zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE postfix reload
The following is an example email log that use @ in the display name
D6CAE2811C34: hold: header From: "imanudin@imanudin.net" <spam@spam.xyz> from unknown[120.xxx.xxx.xx]; from=<spam@spam.xyz> to=<cilox@imanudin.com> proto=ESMTP helo=: it looks like you are spam Nov 1 23:45:45 myzimbra postfix/cleanup[17284]: D6CAE2811C34: message-id=<c8432028-4616-fcea-2280-699b7e22058e@spam.xyz>
Exmaple in mailq
[zimbra@myzimbra ~]$ mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
D6CAE2811C34! 626 Thu Nov 1 23:45:45 spam@spam.xyz
cilox@imanudin.com
-- 1 Kbytes in 1 Requests.
In the Queue ID, have a ! sign (exclamation mark). It’s mean email holds. You can delete them (if that email is spam) or you can release them (if that email is not spam).
Good luck and hopefully useful 🙂
Source : https://imanudin.com/2018/11/02/tips-block-email-spoofing-by-display-name/
Hi, nice to meet you. I wanted to ask for your help. I’m getting a lot of junk mail from external servers. What I can do? Thank you. develop a guide how to send the email to blacklist, it is a good option but I am receiving many. I am the manager of zimbra. On other occasions you have given me support, I thank you again. regards
Hello,
You can apply these configurations
– https://imanudin.net/2017/03/20/zimbra-tips-how-to-enable-ptrreverse-dns-lookup-for-incoming-email/
– https://imanudin.net/2017/03/23/zimbra-tips-how-to-enforce-spf-checking-for-incoming-email/
Dear Imanudin
Few Mails are going to Junk folder and how do I White list those email Globally for all account .
Hi,
Please check full header of the email. You will find what issue that make your email goes to junk folder. Like DMARC policy
Hello, great tutorial. I ask him if this type of configurations can slow down the server when performing an additional check when entering an email. I have received these attacks in the last months and they are from a large number of addresses. I also wanted to thank you, I always read your tutorials and they give me a lot of use.
Sorry for English, it’s not my main language.
Hello, Iman.
Want to ask your help. Sometimes i see spam with the fake address..
This looks like myadress@mydomain.com send me a spam..
What should i do to reject such messages?
I have a Zimbra 8.8.8.
I thought that a reason of my problem is “SPF Checking”, but either this is not true or I was unable to properly configure this..
Hello,
If you get spam from your domain, you can apply this one : https://imanudin.net/2014/09/07/how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username-on-zimbra-8-5/
No, this is a spam from another domain..
It is a fake.. I had find a service “send fake anonymous email” in the www.
Can’t you check your mail server for souch trouble? (anonymailer . net for example)
I had checked it on my – and result is sadly.. The spam from this service had came to me…
Sorry for my bad English…
Oh.. here is the solution.
I understand that I did not add a spf rule for a subdomain, and this is my mistake. After I corrected it, I understand that I needed to edit spamassasin rules to give points to letters that would not pass the spf check. So i added 2 rules
zimbra@mail:/$ cat /opt/zimbra/data/spamassassin/localrules/sauser.cf
score SPF_SOFTFAIL 3.000
score SPF_FAIL 7.000
And now Fake mail go to the SPAM directory )
Hello Roman,
You can apply SPF check for incoming using this method :
– https://imanudin.net/2016/03/11/zimbra-tips-how-to-enable-spf-checking-for-incoming-connection/
– https://imanudin.net/2017/03/23/zimbra-tips-how-to-enforce-spf-checking-for-incoming-email/
Dear,
I hope you doing well by the grace of almighty, I am facing a problem that mail coming from outside with the same name at from address such as saleh@example.com sent mail to saleh@example.com ….its come from outside ip ….we use barracuda gateway but how this mail reaches to my server I can’t understand.
Hello,
You can block “From: @yourdomain” from your Barracuda network. If you check the full header, spammer using another email to sending an email. But, using your domain in the header.
I’ve blocked this spam using the header “From” in my antispam
Great works!
Thanks a lot!
Hi Imanuddin,
you are doing great. i have a problem in zimbra email queue. Kindly let me know if you have any solution.
one of our user in zimbra put forwarder of gmail to his account. when email arrives like facebook notifications. it’s deferred in mail queue. if there is any possibility to avoid it or directly delete email. any script ?
Hello,
Email on deferred mean any problem when sending an email. It can be no route to host, no MX records, no A records and etc. You can delete that email user pfdel script. You can see this one : https://www.vavai.net/2018/10/bash-script-for-spam-queue-removal-on-zimbra-mail-server-updated/
Hello Iman, great tutorial!
I wanted to know if it was possible to send in the user’s spam folder these emails containing @ in the display name instead of in the queue or being rejected?
Hello,
No. The action that you can choose are DUNNO, DEFER, REJECT, DROP
ok thanks, is there a way to block whoever contains this symbol in the name and at the same time put in whitelist of the addresses that even if they contain the @ in the name are good addresses?
Hello,
If you want to whitelist some domain that have @ in the displayname, you can add to the first line like below
Hi, thanks for this. I’m recently getting fake messages from senders with name and email address in display field (“John Doe “). Is there any way to include group of characters and @ in check field?
Hello Marko,
This method using regex. If group of characters can be perform using regex, i think is possible
Hi Eman,
This is not working to me. when I add this.
/^From:(.@example.com.ph)+(.@example.com.ph)/ OK domain whitelist
Any suggestion.
Thanks
Hello Yuan,
Please try add * befor @. So that like below
Hi Iman,
I will try this. I let you know if working or not.
Thank you.
Hi Iman,
This is working now.
Thank you.
Hi Iman,
Good day!
How do I remove or disabled the Email Spoofing by Display Name?
Thank you.
Hello,
You can put a hashtag (#) in front of the line. Then, reload Postfix
Hi Iman,
like this? #/^From:(.*@)+(.*@)/ HOLD it looks like you are spam
Thank you.
Hello Yuan,
Yes. Like that
Hi Iman,
Happy New Year.
Question my mail server cannot view the Held email. I refresh in many times. but the error still persist. can’t view the held email. Any suggestion on this please.
Thanks
Hello Yuan,
You can use postcat to see content email in the queue. The command is postcat -q QUEUE-ID-THAT-APPEAR
Hi Iman,
Thank you.
Hi Iman,
This is not working, when I try this below.
/^From:(.*@example.com.ph)+(.*@example.com.ph)/ OK domain whitelist
The email address is still hold. any suggestion on this please.
Thank you.
Hi Iman,
Now this is not working?
/^From:(.*@example.com.ph)+(.*@example.com.ph)/ OK domain whitelist
The email address is still hold. any suggestion on this please.
Thank you.
Hi Sir Iman,
Good day!
Any ideas on this please.
Thank you
Hi iman,
In our organization we are getting mails such as “Full name of the User” i.e., there is no “@” symbol in display name. For ex. “Mr. ABC “. Mr.ABC is the display name being used by our user. How to write the code in such case?
format of From header is : “Mr. ABC <spoffingID@gmail.com"
Hi Bunny,
If you use webmail, you can display email addresses with this command
Hi Iman,
Thanks for responding. I think I have not presented my problem correctly. The problem is that we are getting mails from gmail account with same display name as our user. For ex. our user has email ID “userid@ourdomain.com” who users display name “Mr. ABC”. We are getting mails from gmail ID for ex. “spoofedid@gmail.com” with display name “Mr. ABC” (“Mr. ABC”). In the above article you have given solution to block DISCARD mails if we get “@” symbol in the display name. Here I don’t have “@” symbol in the display name instead I have full user name i.e., Mr. ABC. I want to block such mail spoofing.
Thanks
Hi Bunny,
It is difficult to block the display name without special characters like @. I recommend you to improve your email server with SPF and PTR checking. Or you can use third-party antispam
Hi Iman,
Do you have any idea why this is not working?
/^From:(.*@example.com.ph)+(.*@example.com.ph)/ OK domain whitelist
The email address is still hold. any suggestion on this please.
Thank you.
Hai Yuan,
If you have other servers, maybe you can split the server in and out
Dear Pak Imam,
untuk mengklasifikasikan menurut X-Spam-Status dengan autolearn=no dan autolearn_force=no bagaimana ya? karena kalau saya cek di file original, kalau email bukan spoofing autolearn=ham tapi kalau email spoofing adalah autolearn=no
Hi pak Imron Wirahadi K,
Untuk autolearn, bisa dilakukan dengan cara user mark as spam/not spam via webmail. Dari sana, server akan melakukan learning
hi
how can multiple domain whitelist kindly let me know the exact syntax . looking your response.
Hi Muhammad Khan,
The guidance already has a whitelist step. Please check again
Can i also create filters to check display name for the To, for example
/^To:(.*@)+(.*@)/ REJECT it looks like you are spam.
Hi Edrin,
Yes, you can.