Back to Top

Help & Support

Get instant answers 24/7

Top

Is there a way to block messages that are spoofing the display name and not the email address?

Unlike when an email address is spoofed and proper email validation methods can be used, display name spoofing can be hard to identify. Often email client software only shows the display name and doesn't show the sending address. This can be dangerous when employees see a request come in from a name they recognize if they don't notice that the address isn't correct.

Often this type of attack is used to impersonate higher level management in a company. The following solution only works if you don't need mail from anyone that shares the name with the person being impersonated. You should be warned that using regex (regular expressions) can block messages you don't intend them to if the pattern isn't set up correctly or if the email in question isn't formatted as expected.

To block these messages, a custom filter rule with a regex match can be used. For instance, to block any mail from anyone named "John Doe" unless their email address was John@example.com then this regex pattern could be used:

(?!.*John@example\.com)John Doe

This would allow mail from:

"John Doe" <John@example.com>

But not from these:

"John Doe" <John@spammersRus.com>
"John Doe" <fake@phishingTrickster.com>
"John Doe" <John@someoneWithTheSameName.com>

This only works if you don't plan on receiving mail from anyone with the name John Doe except from john@example.com.

Need to allow more than one email adddress?

It's also possible to allow more than one email address but the regex pattern is slightly different:

(?!.*(John@example\.com|secondAddress@example\.net))John Doe

Here's an example of three email addresses:

(?!.*(John@example\.com|secondAddress@example\.net|thirdAddress@example\.net))John Doe

The syntax is very important here so be sure to follow it very closely.

When using a single email address, the custom filter rule would look like this in the control panel:


This won't block all display name spoofing, but can help eliminate the problem in many cases.


Last updated March 18, 2022