Zimbra

How To Block Email Spoofing by Display Name

If you ever getting email spoofing that using email on display name like below

Please try below tips. I am using Zimbra and this is what i do

su - zimbra
vi /opt/zimbra/conf/from_checks

Fill with the following line

/^From:(.*@)+(.*@)/ HOLD it looks like you are spam

Note : If you receive email that having @ in the display name, email will be hold and you will getting information “it looks like you are spam” in the log. You can change HOLD with another method like DISCARD or REJECT.

Run the following command to add header check and restart postfix

zmprov ms `zmhostname` zimbraMtaHeaderChecks "pcre:/opt/zimbra/conf/postfix_header_checks,pcre:/opt/zimbra/conf/from_checks"
zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
postfix reload

The following is an example email log that use @ in the display name

D6CAE2811C34: hold: header From: "imanudin@imanudin.net" <spam@spam.xyz> from unknown[120.xxx.xxx.xx]; from=<spam@spam.xyz> to=<cilox@imanudin.com> proto=ESMTP helo=: it looks like you are spam
Nov  1 23:45:45 myzimbra postfix/cleanup[17284]: D6CAE2811C34: message-id=<c8432028-4616-fcea-2280-699b7e22058e@spam.xyz>

Exmaple in mailq

[zimbra@myzimbra ~]$ mailq
-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
D6CAE2811C34!     626 Thu Nov  1 23:45:45  spam@spam.xyz
                                         cilox@imanudin.com

-- 1 Kbytes in 1 Requests.

In the Queue ID, have a ! sign (exclamation mark). It’s mean email holds. You can delete them (if that email is spam) or you can release them (if that email is not spam).

Good luck and hopefully useful 🙂

Source : https://imanudin.com/2018/11/02/tips-block-email-spoofing-by-display-name/

10 comments

  1. Hi, nice to meet you. I wanted to ask for your help. I’m getting a lot of junk mail from external servers. What I can do? Thank you. develop a guide how to send the email to blacklist, it is a good option but I am receiving many. I am the manager of zimbra. On other occasions you have given me support, I thank you again. regards

  2. Hello, great tutorial. I ask him if this type of configurations can slow down the server when performing an additional check when entering an email. I have received these attacks in the last months and they are from a large number of addresses. I also wanted to thank you, I always read your tutorials and they give me a lot of use.
    Sorry for English, it’s not my main language.

  3. Hello, Iman.
    Want to ask your help. Sometimes i see spam with the fake address..
    This looks like myadress@mydomain.com send me a spam..
    What should i do to reject such messages?
    I have a Zimbra 8.8.8.
    I thought that a reason of my problem is “SPF Checking”, but either this is not true or I was unable to properly configure this..

      1. No, this is a spam from another domain..
        It is a fake.. I had find a service “send fake anonymous email” in the www.
        Can’t you check your mail server for souch trouble? (anonymailer . net for example)
        I had checked it on my – and result is sadly.. The spam from this service had came to me…

        Sorry for my bad English…

        1. Oh.. here is the solution.
          I understand that I did not add a spf rule for a subdomain, and this is my mistake. After I corrected it, I understand that I needed to edit spamassasin rules to give points to letters that would not pass the spf check. So i added 2 rules
          zimbra@mail:/$ cat /opt/zimbra/data/spamassassin/localrules/sauser.cf
          score SPF_SOFTFAIL 3.000
          score SPF_FAIL 7.000

          And now Fake mail go to the SPAM directory )

  4. Dear,
    I hope you doing well by the grace of almighty, I am facing a problem that mail coming from outside with the same name at from address such as saleh@example.com sent mail to saleh@example.com ….its come from outside ip ….we use barracuda gateway but how this mail reaches to my server I can’t understand.

    1. Hello,
      You can block “From: @yourdomain” from your Barracuda network. If you check the full header, spammer using another email to sending an email. But, using your domain in the header.

      I’ve blocked this spam using the header “From” in my antispam

Leave a Reply to iman Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.