Display Name Spoofing Attack

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
In most cases, this is called an SPF and it's not specific to cPanel. If your server is authoritative for the domain you're referencing you can implement an SPF record directly from cPanel: Email Deliverability in cPanel - Version 84 Documentation - cPanel Documentation

If it isn't - the Email Deliverability UI will also provide an SPF record that you can add where DNS for the domain is hosted.

If you use SpamAssassin on your cPanel server, it will scan the headers of mail and score according to the presence of an SPF and whether or not it passes the check
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
616
198
343
cPanel Access Level
DataCenter Provider
Sorry to bust your bubble, but in a lot of cases SPF is not going to help at all. As an example, I can send an email as:

Nick Kosten <[email protected]>

If I publish proper SPF and DKIM for mydomain.com the recipient email server will more than likely accept the mail, because it's going to match what I published.

I'm pretty sure this is what @Bidhan is referring to ( Display Name spoofing). We have a lot of customers ask for ways to tag email as [external] so they can quickly spot that someone is spoofing the display name w/o having to look at what the actual address is.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
IF you've set up SPF correctly and the originating server does not match the IP addresses authorized to send mail for the domain, it most certainly would be something that SPF will catch. Whether or not the recipient server is properly checking for the existence of and validity of the SPF record is beyond our control, and my bubble remains intact thank you.

If they're ONLY spoofing the display name and not the email address the mail is originating from, there's really no way for exim or any mail server to combat this - the display name isn't something that's vetted in any way nor would there be a way to do this easily. In any case of this, I've seen the actual email address clearly shows it's not from the Display name sender and users should be educated to double-check email addresses they're receiving requests from.

None the less there is the NAME_EMAIL_DIFF SpamAssassin rule which will work on FROM: lines with two email addresses in present. The weight of this rule can be modified at cPanel>>Email>>SpamFilters>>Calculated Spam Score Settings

There is also a really informative discussion on this in the SpamAssassin mailing list page here: SpamAssassin - Users - FROM header with two email addresses

They've come up with a couple of custom rules to implement that may be effective in combatting this but it would have to be added manually. You might find some further information on custom rules here: Custom SpamAssassin- Multi Rules
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
616
198
343
cPanel Access Level
DataCenter Provider
Based on the title of the thread ( Display Name Spoof) I think they are referring to the latter where the name and address don't match. As I said we've seen a lot of this were the spammer (really phisher) looks up an officer of the company and then sends the email with that name and a completely different email address. People (unfortunately) don't look at the address, only the name and then follow the directions.