Back to Top

Help & Support

Get instant answers 24/7

Top

Is there a way to block messages that are spoofing the display name and not the email address?

Unlike when an email address is spoofed and proper email validation methods can be used, display name spoofing can be hard to identify. Often email client software only shows the display name and doesn't show the sending address. This can be dangerous when employees see a request come in from a name they recognize if they don't notice that the address isn't correct.

Often this type of attack is used to impersonate higher level management in a company. The following solution only works if you don't need mail from anyone that shares the name with the person being impersonated. You should be warned that using regex (regular expressions) can block messages you don't intend them to if the pattern isn't set up correctly or if the email in question isn't formatted as expected.

To block these messages, a custom filter rule with a regex match can be used. For instance, to block any mail from anyone named "John Doe" unless their email address was John@example.com then this regex pattern could be used:

(?!.*John@example\.com)John Doe

This would allow mail from:

"John Doe" <John@example.com>

But not from these:

"John Doe" <John@spammersRus.com>
"John Doe" <fake@phishingTrickster.com>
"John Doe" <John@someoneWithTheSameName.com>

This only works if you don't plan on receiving mail from anyone with the name John Doe except from john@example.com.

On the custom filter form, it would look something like this:


This won't block all display name spoofing, but can help eliminate the problem in many cases.


Last updated April 16, 2021