Employee name spoofing in emails SPF and DKIM cannot prevent this

Spammers are always looking for new techniques to get their payload delivered to the user's Inbox. This page talks about a new technique that is fairly simple but very effective in spoofing the sender.

Problem Description

Someone in your accounting department gets an email from your CEO with a fake invoice asking them to pay.

Background Info

  • Before sending the fake invoice, the spammer first visits the recipient's public website gathering names and email addresses of C-Level employees. Assume they have been able to get the name of the CFO (John Doe) as well as the CEO (Jane Doe) from your website.
  • They register an arbitrary domain name. They create a valid SPF, DKIM and DMARC records for these domain. Let's say this arbitrary domain name is @myFakeDomain.com
  • Now the spammer sends a new message with the following value in the FROM header:
    From: Jane Doe <jane.doe@myfakedomain.com>
  • Many email clients do not display the email address if a name is available, giving an impression to John Doe, CFO, the message indeed came from Jane.

Why SPF fails

The FROM header in an email has two parts:

  1. Sender's Name
  2. Sender's Email Address
SPF protects email addresses, not names. Since the sender does not forge the actual address, SPF does not play any role in determining the message is forged.

Steps To Block

Version 6.8 introduces a new custom filter called Sender Name Forgery, which accepts a list of employee names. Click Filter Management/Content Filters/Custom Filters, search for the Sender Name Forgery, and click the link to manage employee names. If an incoming message from the Internet contains these names in the FROM header, Xeams will modify the header and omit the original name, leaving just the email address. Consider the example below.

Original Header

Subject: Please pay the attached invoice
From: Jane Doe <jane.doe@myfakedomain.com>

Modified Header

Subject: Please pay the attached invoice
From: <jane.doe@myfakedomain.com>
Since the name of the sender is removed, email clients will have no choice but to display the actual email address, which obviously is fake.

Related Pages