Protect against Display Name Spoofing with Rspamd

Email security is an ever-evolving field, and one of the persistent threats is display name spoofing. This attack involves forging the display name in an email to trick recipients into thinking the message is from a trusted source. While Rspamd is a powerful tool for combating spam and improving email security, it can be fine-tuned to address display name spoofing effectively. In this guide, we will configure Rspamd to prevent display name spoofing.

Understanding Display Name Spoofing

Display name spoofing involves altering the „From“ field in an email to appear as though it’s coming from a legitimate source, such as a trusted colleague or a reputable organization.

For example, an email might appear to come from „John Doe“ at „example.com,“ but in reality, it could be sent from a completely different domain. Display name spoofing exploits the fact that many email clients display only the name portion of the email address, making it easier to deceive recipients.

Use Rspamd for Display Name Spoofing Protection

Using Rspamd’s multimap feature, you can create rules to detect and mitigate display name spoofing by cross-referencing display names against known legitimate sources.

First, you need to create a file that contains a list of First Names and Last Names of your users.
This file will be used by Rspamd to check if someone is using those names in a spoofing attack.

Create a file named display_names.map and place it in the /etc/rspamd/maps.d/ directory and insert all names like this:

"First Name Last Name"

Or in my specific case:

"Dominik Kupschke"

Next, define a multimap configuration in Rspamd’s configuration to utilize this file. Create a new configuration file multimap.conf, in the directory /etc/rspamd/local.d/:

DISPLAY_NAME_SPOOFING {
       type = "header";
       header = "from";
       filter = "email:name";
       map = "/etc/rspamd/maps.d/display_names.map";
       score = 3.0
}

The above shown configuration will add a score of 3 to the spam score.
In my own setup, I also change the email subject to include a warning for the recipient.
This can be done by adding a new rule to /etc/rspamd/local.d/force_actions.conf:

rules {
       DISPLAY_NAME_SPOOFING_ACTION {
               action = "rewrite subject";
               expression = "DISPLAY_NAME_SPOOFING"
               subject = "[SPOOFING DETECTED!] %s";
       }
}

Restart Rspamd

Finally, restart Rspamd to apply the changes:

sudo systemctl restart rspamd

Testing Your Configuration

To verify that your display name spoofing rules are working correctly, send a few test emails with spoofed display names. You should see that emails with suspicious or untrusted display names are flagged or scored according to your configuration.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert