How to block this type of spam emails when the mail from is domain account. RSS Back to forum
Hello Drew,
This one is tricky because the spammers only spoofed the display name, but not the actual email address. You will have to use a modified version of the "header filter" which you are most probably already familiar with (from: https://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#mime-sender-spoofing) to blacklist these emails.
The "header filter" should be added to the Blacklists > Keyword Blacklist of the ORF Administration Tool. Click New, select search scope Email header (raw MIME). Select the Filter expression tab, set the expression type to regular expression and enter the following expression:
.*^From:[^\r\n]*(Name1|Name2|Name3)[^\r\n]*\b[^\r\n]*@(?!yourdomain\.tld)\b[^\r\n]*\s$
The above pattern will match the specified display name(s) *only* if the domain found in the email address does not match yours. Note that this filter may block legitimate emails if you add common names, hopefully, your CEO is not called "John Smith" :)
For the filter to work properly, you have to replace the "Name1, Name2, Name3, etc." and "yourdomain" placeholders, and if necessary the "com" TLD as well. You may list additional names inside the parentheses by separating them with the "|" vertical bar (or pipe) character. I hope this helps.
@Daniel Novak (Vamsoft):
Hello Daniel,
Thank you for your answer. We also thought about it but the problem that we have a lot of users in our company and adding a new name to a filter each time not the best solution. Is there any way to do it automatically?
@Spambulance911:
Yes, there is. Though, it would take some time (and scripting skills) to set it up.
The External Agent test of ORF can use any external command line agent to perform additional checks by providing the agent with a copy of the incoming email - in an .eml format. Thus, if you could write a script that would match the contents of the .eml against a "header filter" (i.e. regex pattern) that is periodically updated to contain all user names, then you could configure ORF to use that as an additional blacklist test. If you want to learn more about External Agents and how to configure them in ORF, please consult the related help page at https://vamsoft.com/support/docs/orf-help/5.5/adm-agents
Hi Daniel,
This pattern: .*^From:[^\r\n]*(Name One|Name Two|Name Three|IT|Name Four|Name Five|Name Six|Name Seven)[^\r\n]*\b[^\r\n]*@(?!ourdomain\.tld)\b[^\r\n]*\s$
Block legitimate emails. This is an example:
Received: from xxxx.accesssoftek.com (x.x.x.x) by
xxxx.accesssoftek.com (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2 via Mailbox Transport; Wed, 25 Jul 2018 16:44:53 -0700
Received: from xxxx.accesssoftek.com (x.x.x.x) by
xxxx.accesssoftek.com (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2; Wed, 25 Jul 2018 16:44:52 -0700
Received: from smtp.github.com (192.30.252.194) by
xxxx.accesssoftek.com (x.x.x.x) with Microsoft SMTP Server (TLS)
id 15.0.1347.2 via Frontend Transport; Wed, 25 Jul 2018 16:44:51 -0700
Date: Wed, 25 Jul 2018 16:44:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1532562290;
bh=5fG+tt1NOxCiP9oRAM2c7pNeB0DLZg3hHxuL6wrACf0=;
h=Date:From:To:Subject:From;
b=LiHSAnSh0S07iJWw3IHZf+v4QUc2Ezrqsm298HxC89BwajgbhEOSV9n9xv83tMgYe
4dbznJOOfi+fWPEB/tS/m0hy69sUTV9QeETnFeti2LxMQTR+J4QMMYEAQ0Dug0foQs
n47qzbwCu35Fx8E87oVIsl+5Yg+XJaV4MrjztWW8=
From: GitHub <>
To: o-ran <>
Message-ID: <>
Subject: [GitHub] Please verify your email address.
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--==_mimepart_5b590b72e0533_642c3fd6294d45c48280";
charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Auto-Response-Suppress: All
X-GitHub-Verify: o-ran
Return-Path:
X-MS-Exchange-Organization-Network-Message-Id: 639ac9b0-7ba2-4885-e8a3-08d5f2889e32
X-MS-Exchange-Organization-AuthSource: xxxx.accesssoftek.com
X-MS-Exchange-Organization-AuthAs: Anonymous
@Spambulance911:
It took us some head scratching to figure out why did this happen, but we have found the problem. *drumroll* the regex matches the "it" in 'GitHub'. This is because the expression is case-insensitive and allows additional characters before and after the names specified between the parentheses (in case the spammers try {name} or [name] for example), which is a non-issue with unique full names. However, that is not the case with "IT". In its current form the regex would match, for example: Mr. Chris Doner, {[Chris Doner]}, foochris donerbar, fooITbar, foo.it.bar.
To resolve the issue, use (?-i:IT) in place of "IT" in the regex pattern to make the "IT" part case-sensitive. This will still match GITHUB, or ITALY, so you might want to add some spaces before and after (?-i:IT) to further limit the possible matches - though it would still match IT in 'BEST IT EVER', but it would also protect against phishing attempts such as '100% Real Accesssoftek IT'.
The updated regex would like this:
.*^From:[^\r\n]*(Name One|Name Two|Name Three| (?-i:IT) |Name Four|Name Five|Name Six|Name Seven)[^\r\n]*\b[^\r\n]*@(?!ourdomain\.tld)\b[^\r\n]*\s$
Let me know if you would need any other changes.
@Daniel Novak (Vamsoft):
Hi Daniel,
kinldly ilistrate your regx above with the below,
real domain user: John Doe
@Daniel Novak (Vamsoft):
Hi Daniel,
kindly illustrate your regex above with the below,
real domain user: John Doe
@bmmutuma:
Hello bmmutuma,
You may find the requested example below:
.*^From:[^\r\n]*(John Doe)[^\r\n]*\b[^\r\n]*@(?!ourdomain\.tld)\b[^\r\n]*\s$
How to block this type of spam emails when the mail from: is domain account but mailto: is nondomain email.
Example:
real domain user From: John Doe
spam email From: John Doe
It looks like a "MIME/From header spoofing"
Thank you.