Tips Block Email Spoofing by Display Name

Posted by

Bagi rekan-rekan yang pernah menerima email spoofing via display name seperti berikut :

Silakan coba tips berikut. Karena saya menggunakan Zimbra, berikut cara yang saya lakukan. Buat file dengan nama from_checks

su - zimbra
vi /opt/zimbra/conf/from_checks

Isi sebagai berikut :

/^From:(.*@)+(.*@)/ HOLD sepertinya kamu spam

Keterangan : Apabila menerima email pada bagian from nya terdapat tanda a keong (@), maka email akan ditahan dan pada log terdapat pesan “sepertinya kamu spam”. Parameter HOLD bisa diganti dengan DISCARD atau REJECT agar email langsung ditolak.

Jalankan perintah berikut untuk menambahkan pengecekan header dan restart service Postfix

zmprov ms `zmhostname` zimbraMtaHeaderChecks "pcre:/opt/zimbra/conf/postfix_header_checks,pcre:/opt/zimbra/conf/from_checks"
zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
postfix reload

Berikut adalah contoh log dan email yang tertahan setelah melakukan improvement

D6CAE2811C34: hold: header From: "imanudin@imanudin.net" <spam@spam.xyz> from unknown[120.xxx.xxx.xx]; from=<spam@spam.xyz> to=<cilox@imanudin.com> proto=ESMTP helo=: sepertinya kamu spam
Nov  1 23:45:45 myzimbra postfix/cleanup[17284]: D6CAE2811C34: message-id=<c8432028-4616-fcea-2280-699b7e22058e@spam.xyz>

Contoh mailq

[zimbra@myzimbra ~]$ mailq
-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
D6CAE2811C34!     626 Thu Nov  1 23:45:45  spam@spam.xyz
                                         cilox@imanudin.com

-- 1 Kbytes in 1 Requests.

Pada bagian Queue-ID, terdapat tanda seru (!) yang artinya email ditahan (HOLD).

Tips diatas hanyalah sebagian dari cara untuk meminimalisir spam yang masuk. Bagi rekan-rekan yang masih banyak menerima email spam dengan jenis yang lain, silakan coba layanan berikut : https://www.excellent.co.id/asav. Free trial selama 1 minggu 🙂

Silakan dicoba dan semoga bermanfaat 🙂

23 comments

  1. how do i make a regex to block the following spoof?

    From: Sanga Collins

    only the display name is faked, but gmail server is legit 🙁

    1. I guess I can not type and email address in the comments.

      From: Sanga Collins

      the gmail is legit, just broke it up so that is shows in a comment

  2. ^From:.*”Sanga Collins” (?!.*)(.+)

    this is the regex for your user name + any address that is not your company domain to match and hold.

    1. Hi Sanga C,
      Thanks for your share. You can allow your email in the first line and drop all

      /^From:.*”Sanga Collins” +(yourgmail@gmail.com) / OK
      /^From:.*”Sanga Collins”+(.*@)/ HOLD it looks like you are spam
      
  3. Hi Ahmad Imanudin,

    There are many false positives, because several emails from my domain send Display name as the e-mail itself.
    As below:
    hold: header From: “zabbix@mydomain.com” from unknown[x.x.x.x]; from= to= proto=ESMTP helo=: it looks like you are spam

    Any way to get around it so check if the Display name is different from the actual email?

    Regards,
    Luciano da Silva.

    1. Hello Luciano,
      You can allow email that come from your domain. Please insert this line in the first line

      /^From:(.@imanudin.com)+(.@imanudin.com)/ OK domain whitelist
      

      You can adjust with your domain

      1. Hello Ahmad,

        I see,
        But the problem is that I have so many domains to add and it’s impracticable for me to add them individually.

        Any solution?
        Att/Regards,
        Luciano da Silva Gomes.

  4. hello pak Ahmad
    bagaimana jika display name hanya “admin”

    /^From:(.*admin)+(.*admin)/ HOLD sepertinya kamu spam (not work)

    masih masuk ke inbox

  5. Hello Mr. Ahmad Imanudin
    I administer Zimbra 8.0.7_GA_6021.FOSS.
    When I tried executing …. I get the below error. Do you know how to make this work in 8.0.7_GA_6021.FOSS?

    zmprov ms `zmhostname` zimbraMtaHeaderChecks “pcre:/opt/zimbra/conf/postfix_header_checks,pcre:/opt/zimbra/conf/from_checks”
    ERROR: account.INVALID_ATTR_NAME (invalid attr name: invalid attr name – unable to modify attributes: zimbraMtaHeaderChecks: attribute type undefined)

    Thanks
    Murugesan Rajarethinam

      1. Hi even i have same problem.

        here i posted the output.

        zmlocalconfig -s | grep -i header
        postfix_always_add_missing_headers = yes
        postfix_header_checks = pcre:${zimbra_home}/conf/postfix_header_checks
        postfix_smtpd_sasl_authenticated_header = no
        zimbra_http_originating_ip_header = X-Forwarded-For

  6. mas ahmad mau nanya dong, kalo zimbra nya multi server, configurasi ini di pasang di mta yg proxy atau smtp yaah,
    terima kasih 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.