Every now and then, an email arrives at my company mailserver.
From: surname_big_boss lastname_big_boss <email@example.com> To: surname_victim lastname_victim <firstname.lastname@example.org>
It is always the same: the attacker asks for the victim’s mobile number or Whatsapp number, — and in the end, they will trick the victim into transferring money to the attacker. See https://en.wikipedia.org/wiki/Email_spoofing#Business_email
And unfortunately, I had user in the past who replied 🙁
Of course, you cannot block the attacker’s email address, because it changes with every new attack.
But what if we block everything with the display name “surname_big_boss lastname_big_boss” and an email domain that is NOT one of ours? With postfix and regular expressions, that is quite easy:
~# grep ^header_checks /etc/postfix/main.cf header_checks = pcre:/etc/postfix/header_checks_map ~#
Silly naming, I know. It is not a map. But names are not important 😉
And now in /etc/postfix/header_checks_map
/^From: +surname_big_boss +lastname_big_boss +<.+@(?!mycompany\.(de|com)).*>$/i REJECT Go away phisher
Don’t forget to reload postfix after you made the change.
Of course, this works not so good if your boss is “Peter Smith”… Mine has a more unique name.