1. Knowledge Base
  2. MDaemon® Email Server

How can I use From Header Screening to expose a spoofing email?

MDaemon versions 20 and above include an updated From Header Modification feature to help expose spoofed messages that are trying to trick users into thinking the email is from a legitimate source.

Navigate to the From Header Screening menu:

  1. Select Security
  2. Select Security Manager
  3. Expand Screening
  4. Select From Header Screening

Option 1

The first option will modify the from header and insert the actual email address into the display name. 


Example:

A message is received with the following from headers from a spammer spoofing "Legit User" in the from header. 

Date: Wed, 08 Apr 2020 11:09:40 -0500
From: "Legit User" <spammer@spam.com>
To: "User01" <user01@company.test>
Subject: From Header Screening 

Email clients typically show the display-name only, this is the text in between the quotes.

When Add email address to display-name is enabled, the from header above will be modified into the header below.

FROM: "Legit User (spammer@spam.com)" <spammer@spam.com>

An alternate option is to select Put email address before name is selected to insert the address to the beginning of the header and place the display name in the parenthesis.

FROM: "spammer@spam.com (Legit User)" spammer@spam.com

Option 2

With Replace mismatched email address in display-names with real ones is selected, MDaemon compares the address in the display-name against the actual address.  If a spammer inserts a legitimate address in the display-name section of the from header to disguise/spoof the spammers actual address, MDaemon will remove the address in the display name and insert the actual address.


Example:

A message arrives with the spammer@spam.com spoofing user02@company.test.

Date: Wed, 08 Apr 2020 11:09:40 -0500
FROM: "user02@company.test" <spammer@spam.com>
To: "User01" <user01@company.test>
Subject: From Header Screening

The message listing in Webmail will display the message as follows.

With Replace mismatched email address in display-names with real ones selected, the message would appear as below.

Outside of these options is a checkbox to disable either of these options when a SMTP session is authenticated. 

Keep in mind when this option is checked, if an account is compromised, an entity submitting spam as this user could still disguise the actual email address behind the display-name. 

Click White List to bring up a window to enter addresses messages are addressed To that should bypass the From Header Screening options.