What is the issue?

Spoofing.

What causes the issue?

The first and last names of people in your organization are often public and readily available to spammers—for example, the name of your CEO. A spammer can attempt to send emails and trick a recipient using this information. This is called spoofing.

What is the solution?

SpamTitan has anti-spoofing display name tests to prevent your users' names from being spoofed.

  • ANTISPOOF_NAME: this test provides impersonation protection. Impersonation is when spam is sent using the From name of a high profile person in a company, e.g. the CEO. This test is automatically enabled when a full name is entered for a user on their user policy.

  • ANTISPOOF_NAME_FUZZY: this test provides additional impersonation protection by checking to see if the MIME-Encoded From name fuzzy matches the full name (if it has been added) for a user policy. The fuzzy match range (difference between the two words) is 10% or less. For example, Jonathan Doe would fuzzy match with J0nathan Doe, but not with J0n4th4n D03.

If a mail is found that is addressed to your domain(s) but does not contain one of the Full Names you have entered, the mail will receive an additional spam score (7.99).

The From domain has no bearing on whether this test triggers. There are multiple variations of each name that is tested:

Check

Example, From: "John Smith" <js@example.com>

Firstname Lastname

John Smith

Lastname, Firstname

Smith, John

F. Lastname or F Lastname

J. Smith or J Smith

Firstname L. or Firsname L

John S. or John S

Lastname only

John

Firstname only

Smith

Fuzzy compare to the original (Firstname Lastname) ⇒ This one provides a lower score of 1.

Step-by-Step

Follow these steps to enable these tests for a user. For example, John Smith.

  1. Go to Anti-Spam Engine > User Policies.

  2. Find the user policy for John Smith. To add a user policy, see Add a New User Policy.

  3. Click the edit icon in the Actions column to the right of John Smith's user policy and the Edit User Policy window displays.

  4. Add the user's full name to the User's Full Name: field. In this example, John Smith. A full name needs to be at least two words in length.

    Note

    This test will fail if the display name contains other words in front or after the display name in the email. For example, Mr John Smith.

Further Info

If you are experiencing this type of spoofing regularly, consider implementing a pattern filter by following the steps below.

For further documentation, see Pattern Filtering and Anti-Spoofing.

  1. Create the pattern filter, replacing the items in bold with your own user details:

    "?FirstName\sSecondName"? .(?!(mailto:)?firstname\.secondname\@domain\.com)

    • FirstName: User's first name with an initial capital letter.

    • SecondName: User's second name with an initial capital letter.

    • firstname: User's first name in lowercase.

    • secondname User's second name in lowercase.

    • domain your organization's domain.

    For example, for john.smith@examle.com the pattern filter would be:

    "?John\sSmith"? .(?!(mailto:)?john\.smith\@example\.com)

  2. Add the pattern filter:

    1. Go to Filter Rules > Pattern Filtering.

    2. Click Add... and the Pattern window displays:

    3. From Filter Expression, select Matches Regular Expression.

    4. Enter the pattern filter created above in the Value field.

    5. Select Apply to Headers and enter "Display Name" in the text box.

    6. From Rule Type, select Soft Block to add a score of 5 to any emails that trigger this pattern filter.

    7. Select Save to activate this rule and start checking emails with immediate effect.