[exim] Re: Completely remove any name in From: header for in…

Top Page
Delete this message
Reply to this message
Author: Sebastian Arcus
Date:  
To: Markus Reschke, Sebastian Arcus via Exim-users
Subject: [exim] Re: Completely remove any name in From: header for inbound email?
On 26/05/2023 13:43, Markus Reschke via Exim-users wrote:
> Hello Sebastian!
>
> On Fri, 26 May 2023, Sebastian Arcus via Exim-users wrote:
>
>> Hello. As so many scams around are based on impersonating someone
>> inside the company, I am wondering if anyone here has considered the
>> more extreme solution of completely removing any name in the From:
>> header for incoming emails? I already have SPF/DKIM/DMARC in place, so
>> the scammers can't actually impersonate the sending email address, but
>> they keep on using the names of people with positions high up in the
>> company. The risks of falling for such emails are much reduced at this
>> stage, but now I'm wondering if the next step would be to just strip
>> all names in the From: field altogether and just leave the email
>> address? Can Exim do that, and has anyone considered it?
>
> Have you heard of IDNs (domain names with unicode characters)? For
> example, your domain is company.com and the bad guy registers c<some
> unicode character looking like an o>mpany.com. Then he sets up
> SPF/DKIM/DMARC for that domain and sends you an email. Could you tell
> just from the email address if it's from your CEO or a scammer?
>
> Removing the names to force users to look at the email address can help
> to the lower the risk of falling for less sophisticated scams, but it
> wouldn't work for more professional frauds.


That is an interesting point - thank you for flagging it. I haven't seen
such a case yet in my setups, but I can see it being perfectly possible.
At the moment we are bombarded with emails of the type

From: Director Name <randomaddress@???>

Hence why I was considering stripping the name from all incoming From:
headers. In general things are holding out quite well so far, as the
users are constantly reminded to be vigilant and the real domain can't
be spoofed because of DKIM/DMARC/SPF - but I am constantly looking into
ways to strengthen the security.

>
> ciao
>  Markus


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/