1

lately we receive a lot of display name spoofed emails in our company, impersonating customers and suppliers. Since my co-workers unfortunately do not pay too much attention to security warnings, etc. I could not rely on them being aware of the threat. I searched on Google for hours didn't find a satisfying solution to this. At least not a simple one, which didn't involve paid third party tools etc.

So, i stumbled upon an elegant as well as simple solution, which is adding the following to lines to the header_checks file:

/^From: (.*@.*) (.*@.*)$/ REPLACE From: "PHISHING!!!" $2
/^Reply-To: (.*@.*) (.*@.*)$/ REPLACE Reply-To: "PHISHING!!!" $2

What these 2 lines do is basically check if in the From header are 2 emailaddresses present. If so, we assume that the first is the spoofed one. Then it just simply rewrites the from header, replacing the spoofed sender by PHISHING and maintaining the real sender address.

Afterwards one would just map the modified header_checks file to Postfix:

postmap -r header_checks

Reload the config:

postfix reload

and run a test if the header_check is applied correctly:

postmap -q "From: Fake Sender <fake@sender.tld> <real@sender.tld>" regexp:/etc/postfix/header_checks

this command should return something like:

REPLACE From: "PHISHING!!!" <real@sender.tld>

if there is a positive hit. If negative, then there will be no output.

I hope this helps someone out there having the same problem.

Regards

user3292312
  • 31
  • 2
  • 2
    I think you're supposed to write a question and answer yourself to the question. As is, you're not asking a question. See this for example: https://meta.stackexchange.com/questions/172608/is-it-generally-frowned-upon-to-answer-your-own-question-immediately , https://meta.stackexchange.com/questions/16930/is-it-ok-to-answer-your-own-question-and-accept-it , https://meta.stackexchange.com/questions/17845/etiquette-for-answering-your-own-question. You can still [edit](https://serverfault.com/posts/1000775/edit) it. – A.B Jan 28 '20 at 15:44
  • If you control what your colleagues are using to read their mail, you can add e.g. IMAP flags on the suspicious e-mail. – Piotr P. Karwasz Jan 28 '20 at 18:14

1 Answers1

1

I was having this issue on our company mail server, since we validate our own email domain, only login users can send as from, therefore, I modified your syntax a little bit

/^From: (.*@.*) <(.*@.*)>$/ REPLACE From: "[POSSIBLE PHISHING] $2" <$2>
/^Reply-To: (.*@.*) <(.*@.*)>$/ REPLACE Reply-To: "[POSSIBLE PHISHING] $2" <$2>

this way, the email receiver can know who the sender is. Your code might cause false positive if some lazy company users set the from name as their email name. Hope this help

*Another one is spoofing the domain name as display name, you can use the following code to correct it

/^From: (.*)\.(.*) <(.*@.*)>$/ REPLACE From: $3 <$3>
/^Reply-To: (.*)\.(.*) <(.*@.*)>$/ REPLACE Reply-To: $3 <$3>
AIR TOOL GUY
  • 11
  • 2