CEO Fraud

Every now and then, an email arri­ves at my com­pa­ny mailserver.

From: surname_big_boss lastname_big_boss <>
To: surname_victim lastname_victim <>

It is always the same: the atta­cker asks for the victim’s mobi­le num­ber or Whats­app num­ber, — and in the end, they will trick the vic­tim into trans­fer­ring money to the atta­cker. See
And unfort­u­na­te­ly, I had user in the past who replied 🙁

Of cour­se, you can­not block the attacker’s email address, becau­se it chan­ges with every new attack.
But what if we block ever­y­thing with the dis­play name “surname_big_boss lastname_big_boss” and an email domain that is NOT one of ours? With post­fix and regu­lar expres­si­ons, that is quite easy:

~# grep ^header_checks /etc/postfix/
header_checks = pcre:/etc/postfix/header_checks_map

Sil­ly naming, I know. It is not a map. But names are not important 😉

And now in /etc/postfix/header_checks_map

/^From: +surname_big_boss +lastname_big_boss +<.+@(?!mycompany\.(de|com)).*>$/i REJECT Go away phisher

Don’t for­get to rel­oad post­fix after you made the change.

Of cour­se, this works not so good if your boss is “Peter Smith”… Mine has a more uni­que name.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert