SpamTitan Cloud Anti-Spoofing
Email spoofing is the creation of an email with a forged sender address to intentionally mislead a recipient about its origin. This technique is often used in phishing campaigns and generally attempts to get a user to click a link and share their credentials or reply with sensitive information.
There are two types of From addresses in an email, both of which can be spoofed:
Envelope From: This is transmitted during the MAIL FROM command.
Mime-Encoded From: This is transmitted after the DATA command during an SMTP transmission. It is not protected by any SMTP mechanism and as such is open to spoofing.
SpamTitan has two tests to help protect against email spoofing:
ANTISPOOF: this test checks if the from or envelope from domain matches the recipient's domain. If triggered, the test adds 25 to an email's spam score. Go to Filter Rules > Anti-Spoofing Settings to enable. See Anti-Spoof Settings.
ANTISPOOF_NAME: this test provides impersonation protection. Impersonation is when spam is sent using the From name of a high profile person in a company, e.g. the CEO. This test is automatically enabled when a full name is entered for a user on their user policy. A full name is at least two words (usually first name and last name), e.g. John Smith. Go to Anti-Spam Engine > User Policies to add or edit a user policy.
Once enabled, ANTISPOOF_NAME carries out a number of checks to compare a user's name as entered on their user policy with the email From name:
Check
Example, From: "John Smith" <js@example.com>
Firstname Lastname
John Smith
Lastname, Firstname
Smith, John
F. Lastname or F Lastname
J. Smith or J Smith
Firstname L. or Firsname L
John S. or John S
Lastname only
John
Firstname only
Smith
Fuzzy comparison
J0hn Smith
Note
If a match is made using fuzzy matching, a spam score of 1 (the default fuzzy score) is used instead of the antispoof_name test default score of 5.
SpamTitan's anti-spoofing functionality is not enabled by default.