Blocking email display name spoofing in Messaging Gateway
search cancel

Blocking email display name spoofing in Messaging Gateway

book

Article ID: 382647

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

One method of impersonating individuals within an organization is to modify the email message's From display name value to show an email address which is not the actual return address of the message.

From: "CEO - [email protected]" <[email protected]>
To: "All staff" <[email protected]>
Subject: ACTION REQUIRED!

Many email clients will display "CEO - [email protected]" but not the actual from addres value which can confuse recipients regarding the actual source of the email. Since the From header contains a valid return address, messages like this can successfully pass a DMARC sender authentication check while still deceiving unwary end users based on the mail client not displaying the full contents of the email From header.

Resolution

To mitigate this risk, Messaging Gateway administrators can create a content policy to confirm that if the friendly display name in the From header contains an email address that it matches the domain of the email address in the From field.

  1. Ensure that DMARC Sender Authentication is enabled in Spam > Sender Authentication
  2. Ensure that the DMARC Sender Authentication policies are enabled in Content > Policies and assigned to all policy groups
  3. Create a Content rule to ensure that messages with an email address in the friendly display part of the from header matches the domain of the actual from adderess

Example

  1. Create a Content rule with the following conditions
    1. If test in Message header "From" contains 2 or more occurances of "@"
    2. If text in From: address part of the message does not match regular expression "".*@(.\S+)"\s+<\S+@\1>"
    3. Specify that "All" conditions have to be met
  2. Take a nondestructive action for the messages. For example the messages could be quarantined via the Create a Quarantine Incident action

The example rule above will first check whether there are two @ symbols in the From header. If two @ symbols are detected, the second condition attempts to match the domain following the first @ symbol in the friendly display name with the domain in the sender email address.

This is a simple example and the conditions for matching messages which attempt to spoof a sender address in the friendly display name of the email message can be made both domain and recipient specific as is needed. 

The information above is purely for example purposes and SMG administrators should carefully test any content filtering rules to ensure that they do not match messages unexpectedly.