| eMail Name fakers [message #138993] |
Tue, 27 March 2018 16:52  |
Spacey
Messages: 143
Registered: July 2011
|
|
|
|
Hi,
since several time we're getting spammed by outside spammers: The emails come from external servers & accounts but only the sender Names are faked to our own employee ones. Of course the spam text itself is obvious but it annoys many people here. The problem: We got the whole company team incl. eMails on our website and I guess the spammers just grabbed that information and now send's spam with our own names.
Is there any way to block external sender names matching our own employee names?! Some cross name database check or whatever?!
So if an eMail comes in from "Eric Price" <whatever<_at_>external-spam-domain.com> to some existing eMail receipent where "Eric Price" for example is a real existing person in our kerio?!
Thx!
|
|
|
|
| Re: eMail Name fakers [message #139003 is a reply to message #138993] |
Wed, 28 March 2018 03:22  |
j.a.duke
Messages: 239
Registered: October 2006
|
|
|
|
@Spacey:
You didn't list what you have enabled to combat the spam. Or what version of Connect.
Are you using any blacklists?
SpamAssassin?
Kerio Anti-Spam?
Custom rules?
What's your tag setting? Block setting?
I'm sure there's more, but those answers will be a good start.
Thanks.
Cheers,
Jon
|
|
|
|
| Re: eMail Name fakers [message #139012 is a reply to message #139003] |
Wed, 28 March 2018 09:25 |
Spacey
Messages: 143
Registered: July 2011
|
|
|
|
Hi...
General Settings: Spam-Tag: 5 / Block: 9
Kerio Anti-Spam: Enabled (Add 6 points)
SpamAssassin: Enabled
RBL's: SpamCop (add 5), SpamHaus ZEN (add 5), SORBS DNSBL (add 2.5), NiX Spam Manitu (add 5), Barracuda Networks (add 3.5), GBUdb (add 2.5), PSBL (add 2.5)
Caller ID: Enabled (add 4)
SPF: Enabled (add 4)
Spam-Repellent: Enabled (22 seconds)
Some own allowed foreign domains which aren't involved in these cases.
|
|
|
|
|
|
| Re: eMail Name fakers [message #139022 is a reply to message #139019] |
Wed, 28 March 2018 16:56 |
Spacey
Messages: 143
Registered: July 2011
|
|
|
|
Thanks Brian,
this is already enabled in general and for our main domain but matches only the sender-eMail-Adresses - not the names.
The problem here is that the "name" (which appears in the eMail client, the direct (unknown) address is only visible when you hover over the sender name or click it.
If someone sends with a faked address our Kerio already denies it. This is just about name fakers! :/
|
|
|
|
|
|
| Re: eMail Name fakers [message #139055 is a reply to message #139024] |
Thu, 29 March 2018 09:54 |
Spacey
Messages: 143
Registered: July 2011
|
|
|
|
OK, that's a manual solution - yes.
You mean a personal filter for every user, eh?!
I tried the following - see screenshot. But unfortunately this doesn't work... The eMail is still in the inbox.
Other spam filters: Problem is that the sender-email-adresses & domains follow no rule, these are hacked normal accounts or whatever. No idea where to start here.
[Updated on: Thu, 29 March 2018 11:14] Report message to a moderator |
|
|
|
|
|
|
|
| Re: eMail Name fakers [message #140744 is a reply to message #139024] |
Wed, 29 August 2018 16:33 |
blackbox
Messages: 46
Registered: May 2006
|
|
|
|
I haven't had any success testing with the method described, as the message arrives without issue.
Quote:Wed, 28 March 2018 11:49
Kerio/GFI Brian
Ok I see now. In this case you can create Message Filter rules like this:
- All of the conditions are met
- Condition 1 = where from contains "Eric Price"
- Condition 2 = where sender does not contain "your.domain.com"
- Action = reject message
I also tried altering condition 2 a bit, using the "From" header instead of "Sender".
- All of the conditions are met
- Condition 1 = where from contains "Display Name"
- Condition 2 = where from does not contain "domain.com"
- Action = reject message
No luck with this approach either, test message arrives without issue.
|
|
|
|
| Re: eMail Name fakers [message #140746 is a reply to message #140744] |
Wed, 29 August 2018 17:32 |
blackbox
Messages: 46
Registered: May 2006
|
|
|
|
I dove in a bit more to the suggested course of action.
My results match those of Spacey.
Passing the header information into a notification message via: perform the following action, send notification, displaying the following:
from: $from$
subject: $subject$
text: $text$
suggests the display name is not picked up within the from value, providing only the email address when output.
Example incoming message:
From: Joe User <bad<_at_>guy.com>
Subject: Trust me, I'm legit.
Body of email
Sends a notification containing the following:
from: <bad<_at_>guy.com>
subject: Trust me, I'm legit.
text: Body of email
If I alter the rule to look for a specific from:email address, the rule does work, but basing the rule on a specific from:display name value, as was the main focal point, doesn't seem to work.
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
