Zimbra

How To Block Email Spoofing by Display Name

If you ever getting email spoofing that using email on display name like below

Please try below tips. I am using Zimbra and this is what i do

su - zimbra
vi /opt/zimbra/conf/from_checks

Fill with the following line

/^From:(.*@)+(.*@)/ HOLD it looks like you are spam

Note : If you receive email that having @ in the display name, email will be hold and you will getting information “it looks like you are spam” in the log. You can change HOLD with another method like DISCARD or REJECT.

Run the following command to add header check and restart postfix

zmprov ms `zmhostname` zimbraMtaHeaderChecks "pcre:/opt/zimbra/conf/postfix_header_checks,pcre:/opt/zimbra/conf/from_checks"
zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
postfix reload

The following is an example email log that use @ in the display name

D6CAE2811C34: hold: header From: "imanudin@imanudin.net" <spam@spam.xyz> from unknown[120.xxx.xxx.xx]; from=<spam@spam.xyz> to=<cilox@imanudin.com> proto=ESMTP helo=: it looks like you are spam
Nov  1 23:45:45 myzimbra postfix/cleanup[17284]: D6CAE2811C34: message-id=<c8432028-4616-fcea-2280-699b7e22058e@spam.xyz>

Exmaple in mailq

[zimbra@myzimbra ~]$ mailq
-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
D6CAE2811C34!     626 Thu Nov  1 23:45:45  spam@spam.xyz
                                         cilox@imanudin.com

-- 1 Kbytes in 1 Requests.

In the Queue ID, have a ! sign (exclamation mark). It’s mean email holds. You can delete them (if that email is spam) or you can release them (if that email is not spam).

Good luck and hopefully useful 🙂

Source : https://imanudin.com/2018/11/02/tips-block-email-spoofing-by-display-name/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.