lately we receive a lot of display name spoofed emails in our company, impersonating customers and suppliers. Since my co-workers unfortunately do not pay too much attention to security warnings, etc. I could not rely on them being aware of the threat. I searched on Google for hours didn't find a satisfying solution to this. At least not a simple one, which didn't involve paid third party tools etc.
So, i stumbled upon an elegant as well as simple solution, which is adding the following to lines to the header_checks file:
/^From: (.*@.*) (.*@.*)$/ REPLACE From: "PHISHING!!!" $2
/^Reply-To: (.*@.*) (.*@.*)$/ REPLACE Reply-To: "PHISHING!!!" $2
What these 2 lines do is basically check if in the From header are 2 emailaddresses present. If so, we assume that the first is the spoofed one. Then it just simply rewrites the from header, replacing the spoofed sender by PHISHING and maintaining the real sender address.
Afterwards one would just map the modified header_checks file to Postfix:
postmap -r header_checks
Reload the config:
postfix reload
and run a test if the header_check is applied correctly:
postmap -q "From: Fake Sender <fake@sender.tld> <real@sender.tld>" regexp:/etc/postfix/header_checks
this command should return something like:
REPLACE From: "PHISHING!!!" <real@sender.tld>
if there is a positive hit. If negative, then there will be no output.
I hope this helps someone out there having the same problem.
Regards