Back to Top

Help & Support

Get instant answers 24/7

Top

Is there a way to block messages that are spoofing the display name and not the email address?

Display name spoofing is when an email appears to be coming from a familiar person, but from an email address that is not affiliated with that person. The problem is made worse by the fact that most email software only shows the sender's name (known as the "display name") and not the sender's email address.

While there is not yet a solution that can automatically detect what email addresses are valid for a display name, SpamHero's powerful Custom filter feature allows you to create rules that can protect you from display name spoofing for specific senders.

For the purposes of this tutorial, let's say we have a sender named John Doe and we only want to accept emails for this user from john@example.com. This would be done as follows:

  1. Log into SpamHero and go to Settings > Custom filters.
     
  2. Set the If field to Messsage 'From', the Condition to Regex (Advanced) and the Value to the following:

    (?!.*John@example\.com)John Doe

    Obviously you'll want to swap out this information with the correct sender. Build your regex string as follows:

    • Enter the (?!.* prefix.
    • Enter the email address, preceding any . with a \.
    • Enter the ).
    • Enter the sender's display name.
  3. Select at least quarantine for the action to take in the When there's a match field.
     
  4. Optionally add a comment to remind you what the rule is for and click Save.
     

Important notes:

  • The search is case insensitive (upper and lower case do not matter).
  • The syntax is very important here so be sure to follow it closely and test it afterward. Any if there are any mistakes, you may end up blocking a lot more than you intended.
  • This isn't a perfect solution. If a malicious sender inserts hidden or special characters into the display name, it will not match the rules presented here.
Example

The rule should look something like this:


This would allow mail from:

"John Doe" <John@example.com>
But not from these:
"John Doe" <John@spammersRus.com>
"John Doe" <fake@phishingTrickster.com>
"John Doe" <John@someoneWithTheSameName.com>

If you only need to allow a single email address for a given display name, the above is all you need to do. For more complex situations, the additional examples below may be helpful.

Allowing multiple email addresses or an entire domain

Here's an example that allows mail from a local address and an external address:

(?!.*(JohnDoe@example\.com|johnDoe7289@gmail\.com))John Doe

This is helpful if you know more than one "John Doe" or the sender has more than one email address that they send you email from.

To allow an entire domain, it would look like this:

(?!.*@example\.com)John Doe

Or, a combination of an entire domain and external email addresses:

(?!.*(@example\.com|johnDoe7289@gmail\.com|johnDoe7289@yahoo\.com))John Doe

If you are converting a previous rule that only allowed a single email address or domain, see these additional examples that illustrate what needs to change:

(?!.*
(
JohnDoe@example\.com
|johnDoe7289@gmail\.com)
)John Doe

And this example allows anything from the local domain or two external email addresses:

(?!.*
(
@example\.com
|johnDoe7289@gmail\.com|johnDoe7289@yahoo\.com)
)John Doe

The highlights show what was
added
and
changed
from the single-address example.

Last updated February 9, 2024