How to block this type of spam emails when the mail from is domain account. - ORF Forums

Hello Drew,

This one is tricky because the spammers only spoofed the display name, but not the actual email address. You will have to use a modified version of the "header filter" which you are most probably already familiar with (from: https://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#mime-sender-spoofing) to blacklist these emails.

The "header filter" should be added to the Blacklists > Keyword Blacklist of the ORF Administration Tool. Click New, select search scope Email header (raw MIME). Select the Filter expression tab, set the expression type to regular expression and enter the following expression:

.*^From:[^\r\n]*(Name1|Name2|Name3)[^\r\n]*\b[^\r\n]*@(?!yourdomain\.tld)\b[^\r\n]*\s$

The above pattern will match the specified display name(s) *only* if the domain found in the email address does not match yours. Note that this filter may block legitimate emails if you add common names, hopefully, your CEO is not called "John Smith" :)

For the filter to work properly, you have to replace the "Name1, Name2, Name3, etc." and "yourdomain" placeholders, and if necessary the "com" TLD as well. You may list additional names inside the parentheses by separating them with the "|" vertical bar (or pipe) character. I hope this helps.

@Spambulance911: Yes, there is. Though, it would take some time (and scripting skills) to set it up.

The External Agent test of ORF can use any external command line agent to perform additional checks by providing the agent with a copy of the incoming email - in an .eml format. Thus, if you could write a script that would match the contents of the .eml against a "header filter" (i.e. regex pattern) that is periodically updated to contain all user names, then you could configure ORF to use that as an additional blacklist test. If you want to learn more about External Agents and how to configure them in ORF, please consult the related help page at https://vamsoft.com/support/docs/orf-help/5.5/adm-agents

@Spambulance911: It took us some head scratching to figure out why did this happen, but we have found the problem. *drumroll* the regex matches the "it" in 'GitHub'. This is because the expression is case-insensitive and allows additional characters before and after the names specified between the parentheses (in case the spammers try {name} or [name] for example), which is a non-issue with unique full names. However, that is not the case with "IT". In its current form the regex would match, for example: Mr. Chris Doner, {[Chris Doner]}, foochris donerbar, fooITbar, foo.it.bar.

To resolve the issue, use (?-i:IT) in place of "IT" in the regex pattern to make the "IT" part case-sensitive. This will still match GITHUB, or ITALY, so you might want to add some spaces before and after (?-i:IT) to further limit the possible matches - though it would still match IT in 'BEST IT EVER', but it would also protect against phishing attempts such as '100% Real Accesssoftek IT'.

The updated regex would like this:

.*^From:[^\r\n]*(Name One|Name Two|Name Three| (?-i:IT) |Name Four|Name Five|Name Six|Name Seven)[^\r\n]*\b[^\r\n]*@(?!ourdomain\.tld)\b[^\r\n]*\s$

Let me know if you would need any other changes.

@bmmutuma: Hello bmmutuma,

You may find the requested example below:

.*^From:[^\r\n]*(John Doe)[^\r\n]*\b[^\r\n]*@(?!ourdomain\.tld)\b[^\r\n]*\s$