How to block this type of spam emails when the mail from is domain account. - ORF Forums

How to block this type of spam emails when the mail from is domain account. RSS Back to forum


How to block this type of spam emails when the mail from: is domain account but mailto: is nondomain email.
real domain user From: John Doe
spam email From: John Doe

It looks like a "MIME/From header spoofing"
Thank you.

by Drew.Lopshire 1 year ago

Hello Drew,

This one is tricky because the spammers only spoofed the display name, but not the actual email address. You will have to use a modified version of the "header filter" which you are most probably already familiar with (from: to blacklist these emails.

The "header filter" should be added to the Blacklists > Keyword Blacklist of the ORF Administration Tool. Click New, select search scope Email header (raw MIME). Select the Filter expression tab, set the expression type to regular expression and enter the following expression:


The above pattern will match the specified display name(s) *only* if the domain found in the email address does not match yours. Note that this filter may block legitimate emails if you add common names, hopefully, your CEO is not called "John Smith" :)

For the filter to work properly, you have to replace the "Name1, Name2, Name3, etc." and "yourdomain" placeholders, and if necessary the "com" TLD as well. You may list additional names inside the parentheses by separating them with the "|" vertical bar (or pipe) character. I hope this helps.

by Daniel Novak (Vamsoft) 1 year ago

@Daniel Novak (Vamsoft): Hello Daniel,

Thank you for your answer. We also thought about it but the problem that we have a lot of users in our company and adding a new name to a filter each time not the best solution. Is there any way to do it automatically?

by Spambulance911 1 year ago
(in reply to this post)


@Spambulance911: Yes, there is. Though, it would take some time (and scripting skills) to set it up.

The External Agent test of ORF can use any external command line agent to perform additional checks by providing the agent with a copy of the incoming email - in an .eml format. Thus, if you could write a script that would match the contents of the .eml against a "header filter" (i.e. regex pattern) that is periodically updated to contain all user names, then you could configure ORF to use that as an additional blacklist test. If you want to learn more about External Agents and how to configure them in ORF, please consult the related help page at

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


Hi Daniel,

This pattern: .*^From:[^\r\n]*(Name One|Name Two|Name Three|IT|Name Four|Name Five|Name Six|Name Seven)[^\r\n]*\b[^\r\n]*@(?!ourdomain\.tld)\b[^\r\n]*\s$

Block legitimate emails. This is an example:
Received: from (x.x.x.x) by (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2 via Mailbox Transport; Wed, 25 Jul 2018 16:44:53 -0700
Received: from (x.x.x.x) by (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2; Wed, 25 Jul 2018 16:44:52 -0700
Received: from ( by (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2 via Frontend Transport; Wed, 25 Jul 2018 16:44:51 -0700
Date: Wed, 25 Jul 2018 16:44:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;
s=pf2014; t=1532562290;
From: GitHub
To: o-ran
Subject: [GitHub] Please verify your email address.
MIME-Version: 1.0
Content-Type: multipart/alternative;
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: All
X-GitHub-Verify: o-ran
X-MS-Exchange-Organization-Network-Message-Id: 639ac9b0-7ba2-4885-e8a3-08d5f2889e32
X-MS-Exchange-Organization-AuthAs: Anonymous

by Spambulance911 1 year ago

missed part:
From: GitHub
To: o-ran

by Spambulance911 1 year ago

@Spambulance911: It took us some head scratching to figure out why did this happen, but we have found the problem. *drumroll* the regex matches the "it" in 'GitHub'. This is because the expression is case-insensitive and allows additional characters before and after the names specified between the parentheses (in case the spammers try {name} or [name] for example), which is a non-issue with unique full names. However, that is not the case with "IT". In its current form the regex would match, for example: Mr. Chris Doner, {[Chris Doner]}, foochris donerbar, fooITbar,

To resolve the issue, use (?-i:IT) in place of "IT" in the regex pattern to make the "IT" part case-sensitive. This will still match GITHUB, or ITALY, so you might want to add some spaces before and after (?-i:IT) to further limit the possible matches - though it would still match IT in 'BEST IT EVER', but it would also protect against phishing attempts such as '100% Real Accesssoftek IT'.

The updated regex would like this:

.*^From:[^\r\n]*(Name One|Name Two|Name Three| (?-i:IT) |Name Four|Name Five|Name Six|Name Seven)[^\r\n]*\b[^\r\n]*@(?!ourdomain\.tld)\b[^\r\n]*\s$

Let me know if you would need any other changes.

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


@Daniel Novak (Vamsoft): Thank you for your help. We'll test.

by Spambulance911 1 year ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2