SpamTitan Cloud Anti-Spoofing
Email spoofing is the creation of an email with a forged sender address to intentionally mislead a recipient about its origin. This technique is often used in phishing campaigns and generally attempts to get a user to click a link and share their credentials or reply with sensitive information.
There are two types of From addresses in an email, both of which can be spoofed:
Envelope From: This is transmitted during the MAIL FROM command.
MIME-Encoded From: This is transmitted after the DATA command during an SMTP transmission. It is not protected by any SMTP mechanism and as such is open to spoofing.
SpamTitan has four tests to help protect against email spoofing:
ANTISPOOF_DOMAIN: this test checks if the From or Envelope From domain matches the recipient's domain. If triggered, the test adds 25 to an email's spam score.
ANTISPOOF_DOMAIN_FUZZY: this test checks if a recipient's domain fuzzy matches the Envelope From or MIME-Encoded From domain. The fuzzy match range (difference between the two words) is 10% or less. For example, domain.com would fuzzy match with d0main.com, but not with d0m41n.c0m. If triggered, this test adds 5 to an email's spam score.
Go to Filter Rules > Anti-Spoofing Settings to enable both ANTISPOOF_DOMAIN and ANTISPOOF_DOMAIN_FUZZY.
See Anti-Spoof Settings.
ANTISPOOF_NAME: this test provides impersonation protection. Impersonation is when spam is sent using the From name of a high profile person in a company, e.g. the CEO. This test is automatically enabled when a full name is entered for a user on their user policy. A full name is at least two words (usually first name and last name), e.g. John Smith. Go to Anti-Spam Engine > User Policies to add or edit a user policy. If triggered, this test adds a default score of 5 to an email's spam score.
ANTISPOOF_NAME_FUZZY: this test provides additional impersonation protection by checking to see if the MIME-Encoded From name fuzzy matches the full name (if it has been added) for a user policy. The fuzzy match range (difference between the two words) is 10% or less. For example, Jonathan Doe would fuzzy match with J0nathan Doe, but not with J0n4th4n D03. If triggered, this test adds a default score of 5 to an email's spam score.
Go to Anti-Spam Engine > User Policies to add or edit a user policy to include a user's full name. Once enabled, ANTISPOOF_NAME and ANTISPOOF_NAME_FUZZY carry out a number of checks to compare a user's name as entered on their user policy with the email From name:
Check | Example, From: "John Smith" <js@example.com> |
|---|---|
Firstname Lastname | John Smith |
Lastname, Firstname | Smith, John |
F. Lastname or F Lastname | J. Smith or J Smith |
Firstname L. or Firsname L | John S. or John S |
Lastname only | John |
Firstname only | Smith |
SpamTitan's anti-spoofing functionality is not enabled by default.