Sophos Email Appliance: How to block spoofed "From" names

Special thanks to H_Patel for authoring this article!

Overview

This article describes how to block spoofed "From" names when the email address isn't from your own domain.

Scenario

In this example, mail from Joe Smith is "spoofed" so that in Outlook his name is displayed as the sender. This is done to fool Tracy into purchasing something and sending it to the scammer. But when checking the actual From address, it is a valid external address.

From: Joe Smith <mgt001@GiveMeMoney.com>
To: Tracy Barker <Tracy.Barker@ValidCompany.com>

What to do

  1. Go to Configuration > Policy > Additional Policy > Inbound and then click Add.
  2. Under the Select rule type section, select Use only message attributes and then click Next.
  3. Under the Identify message attributes section, click Add. Select Header in the drop-down menu.
  4. In the Name field, enter "From" (the capital F is important) and select contains (substring match).
  5. In the Value field, enter the name of the person that needs to be filtered (i.e. Joe Smith) and then click Apply.



  6. Continue doing this for the users that are required to be added.
  7. Under Matching Logic, choose One of the message attributes must be present. Click Next.



  8. Click the Exclude Sender tab and select Custom groups.
  9. Enter **@validcompany.com and then click Add. Click Next.



  10. Under the Message actions section, select Quarantine. Click Next.
  11. Enter a Policy rule name, select Activate this rule and then click Save.

This rule will quarantine any email coming in with the display name Joe Smith if it is not also from the domain validcompany.com



.
[edited by: H_Patel at 3:49 PM (GMT -7) on 15 Jun 2021]