Back to Top

Help & Support

Get instant answers 24/7

Top

Is there a way to block messages that are spoofing the display name and not the email address?

Unlike when an email address is spoofed and proper email validation methods can be used, display name spoofing can be hard to identify. Often email client software only shows the display name and doesn't show the sending address. This can be dangerous when employees see a request come in from a name they recognize if they don't notice that the address isn't correct.

Often this type of attack is used to impersonate higher level management in a company. The following solution only works if you don't need mail from anyone that shares the name with the person being impersonated. You should be warned that using regex (regular expressions) can block messages you don't intend them to if the pattern isn't set up correctly or if the email in question isn't formatted as expected.

To block these messages, a custom filter rule with a regex match can be used. For instance, to block any mail from anyone named "John Doe" unless their email address was John@example.com then this regex pattern could be used:

(?!.*John@example\.com)John Doe

This would allow mail from:

"John Doe" <John@example.com>

But not from these:

"John Doe" <John@spammersRus.com>
"John Doe" <fake@phishingTrickster.com>
"John Doe" <John@someoneWithTheSameName.com>

This only works if you don't plan on receiving mail from anyone with the name John Doe except from john@example.com.

When using a single email address, the custom filter rule would look like this in the control panel:


If you only need to allow a single email address for a given display name, the above is all you need to do. For more complex situations, the additional examples below may be helpful.

Allowing multiple email addresses or an entire domain

Here's an example that allows mail from a local address and an external address:

(?!.*(JohnDoe@example\.com|johnDoe7289@gmail\.com))John Doe

To allow an entire domain, it would look like this:

(?!.*@example\.com)John Doe

Or, a combination of an entire domain and external email addresses:

(?!.*(@example\.com|johnDoe7289@gmail\.com|johnDoe7289@yahoo\.com))John Doe

If you are converting a previous rule that only allowed a single email address or domain, see these additional examples that illustrate what needs to change:

(?!.*
(
JohnDoe@example\.com
|johnDoe7289@gmail\.com)
)John Doe

And this example allows anything from the local domain or two external email addresses:

(?!.*
(
@example\.com
|johnDoe7289@gmail\.com|johnDoe7289@yahoo\.com)
)John Doe

The highlights show what was
added
and
changed
from the single-address example.
Important notes
  • The search is case insensitive
  • The syntax is very important here so be sure to follow it closely and test it afterward.
  • This won't block all display name spoofing, but can help eliminate the problem in many cases.

Last updated November 10, 2022