Email spoofing is the creation of an email with a forged sender address to intentionally mislead a recipient about its origin. This technique is often used in phishing campaigns and generally attempts to get a user to click a link and share their credentials or reply with sensitive information.
SpamTitan has five anti-spoof tests (described below) to help protect against email spoofing. These tests are carried out on:
Local domains with anti-spoofing enabled
Inbound email only
At the domain level, go to Overview and select the Anti-Spoofing tab to enable and manage anti-spoofing settings for that domain (default: disabled). See Enabling and Managing Anti-Spoofing.
Email Headers
SpamTitan Anti-spoofing tests check the full set of To/Cc headers, including:
To: |
Apparently-Resent-To: |
X-Original-To: |
Apparently-To: |
X-Envelope-To: |
X-Rcpt-To: |
Delivered-To: |
Envelope-To: |
X-Real-To: |
Envelope-Recipients: |
X-Delivered-To: |
Cc: |
Resent-To: |
Resent-Cc: |
Spam Scoring
For each test that triggers, an addition is made to the email's spam score. More than one test can trigger for a single email, in which case the scores are added together.
SpamTitan Anti-Spoofing Tests
-
ANTISPOOF_DOMAIN: This test checks if the sender's and the recipient's domains are the same and that the SPF records match.
If triggered, the test adds 25 to an email's spam score.
-
ANTISPOOF_FUZZY_DOMAIN: This test looks for a one or two character difference between the sender and recipient domain. For example, domain.com would fuzzy match with d0main.com.
If triggered, this test adds 5 to an email's spam score.
-
ANTISPOOF_NAME: This test provides impersonation protection. Impersonation is when spam is sent using the From name of a high profile person in a company, for example, the CEO. This test is automatically enabled when a full name is entered for a user on their user policy. A full name is at least two words (usually first name and last name), e.g. John Smith. Go to Anti-Spam Engine > User Policies to add or edit a user policy.
If triggered, this test adds 5 to an email's spam score.
-
ANTISPOOF_FUZZY_NAME: This test provides additional impersonation protection by checking to see if the email sender's display name (From: name) fuzzy matches the full name (if it has been added) for a user policy. The test looks for a one or two character difference between the sender and full user name. For example, Jonathan Doe would fuzzy match with J0nathan Doe.
If triggered, this test adds 5 to an email's spam score.
-
ANTISPOOF_EMAIL_ADDRESS: This test checks if someone from the same domain is spoofing by checking if the sender's full name on their user policy matches what is in the email.
If triggered, this test adds 5 to an email's spam score.
User Names
The ANTISPOOF_NAME test carries out a number of checks to compare a user's name as entered on their user policy with the email From name. These checks are described in the table below.
Go to Policies > User Policies to add or edit a user policy to include a user's full name.
Check |
Example, From: "John Smith" <js@example.com> |
---|---|
Firstname Lastname |
John Smith |
Lastname, Firstname |
Smith, John |
F. Lastname or F Lastname |
J. Smith or J Smith |
Firstname L. or Firsname L |
John S. or John S |
This article relates to SpamTitan Skellig.