Other phishing attempts would use CEO names in the name field with a different return email address. The way users fall for this is they do not look at the originating email address. It also does not help that most mail clients will only show display name when provided instead of the email.
Currently zimbra does not have a way to create a transport rule. We also use Sophos UTM mail filtering and I was not able to add them there. The Sophos Mail appliance which is a separate product does have this capability.
One way on zimbra that I was able to warn users that the email came from the external domain is by displaying a yellow banner at the top of the email using a custom modifed zimlet. Zimlets are add ons that can be added to zimbra mail server to add functionality to the web client. There are many third party add ons that extend zimbra mail server functionality.
Before we get to how I was able to achieve this I wanted to let you know that many users are annoyed with any indication that email originated from outside a company or even that an email maybe spam of phishing. Also I have experienced users that get annoyed for having to check their Junk or Spam folder especially since its a rare occurrence for them. Their argument is they are not used to it so they should not have to. In any other mail system they may use they may have much more spam and junk and false negatives that they may look at their junk folder. They may even be told by the system they are expecting an email from to check their spam folder.
In a perfect world users expect 0 spam, 0 false negatives, and no phishing emails. While many phishing emails may look obvious to you and I and we know to check the from address, the URL that we are being re directed to and even analyzing the contents relevance, users usually skim or not even read and click links. Then they inform IT after they fall for it and ask that they should have received an email from IT warning them that this specific email that may or may not be going around be sent to everyone warning them its a fake email phishing attempt. One thing I do know is if we were to constantly email users warning them about things they would not even read the email and would delete it then would just click on the link. To the user, its another email from IT that they don't need to read.
I see this happen all the time when roiling out new features or updates. They delete the email without reading it or even making a mental note on what its about. Later they will send an email or come to IT with an issue on why they cant do this or that. They may even say they were not informed or even better they never received the email. This is one reason I try to send out minimum of notices, the more they receive the more they just click that delete button. I like to use an intranet page that I place helpful links notes etc that they may need to refer to later after they have deleted that email they never received, not that they ever find that either.
Back to the solution I was able to implement that users do not like because they find it annoying. I've heard from users that most of the emails they get are from external customer. Yes this is correct and most of the phishing attacks are from external sources and yet they still think that IT admins sent them change your password links or the CEO sent them an email to buy a bunch of gift cards that they need right away and they should only email them the codes but not bother calling them because they are busy. All we can do is provide the user with the tools to help identify spoofed emails and help educate them on phishing.
If you are not using SPF records or DKIM keys those should be your first changes you make. This will help eliminate the spoof emails that look like they came from your company. Also grey listing is helpful to eliminate fake mail servers granted this will delay some of the mail a little but will stop a lot of spam. But this doesn't stop all because they will use Display name spoofing to get your users to fall for the scams. In the display name spoofing they will use your CEO names, they may even put an email to make it look like your domainname. You can put email@example.com in the display name and that will appear on the email client instead of the real email. Its not hard to spot that, just clicking reply will show the real email address.
What I ended up doing is using an existing zimlet and making changes to it to get display a yellow banner in the zimbra webmail that this email came from an external domain.
The zimlet I used is the tk_barrydegraaff_sa_alert zimlet found on https://zetalliance.org/
tk_barrydegraaff_sa_alert is Phishing Alert zimlet that uses existing spamassasin scoring and will alert you with a yellow banner if the email may have triggered any of pre exisitng phishing rules spamassasin uses. Since we use sophos UTM mail filetering with some well know blacklists our zimbra spamassasin has nothing to filter for the most part and we dont see many spam, phishing get past it. Ones that have are like I said CEO name display spoofing which doesn't trigger most rules or fake admin and human resources emails using real external mail servers.
I renamed the module to extenal_sa_alert and made changes to the external_sa_alert.js removing all the previous header checks and adding a custom one EXTERNAL_DOMAIN. This was palced in the zimlet-deployed/_dev directory. Since we are renaming the zimlet any references to tk_barrydegraaff_sa need to be changed to external_sa_alert in any of the files in the _dev/external_sa_alert/ I will have a zip file with the changes and the external.cf file available.
I created a external.cf file that gets placed in /opt/zimbra/data/spamassassin/localrules/ directory with a entry for a custom header I want created that we check for using the external_sa_alert.js.
I have it assign a low score of .1. Its not high enough to classify the email as spam no matter how many other filters it triggers but its high enough to trigger the external_sa_alert zimlet to display a yellow warning banner.
In the external.cf file we put the EXTERNAL_DOMAIN header and assign it a score of .1 if it doesnt have your company domain in the From:addr header
# Email from external domain
# change the From:addr to all local or external companydomains you use that belong to your company. remove extra
header EXTERNAL_DOMAIN From:addr !~ /\@companydomain\.com|\@mail\.companydomain\.com|\@monitor\.pvt\.companydomain\.com|\@alerts\.localdomain/i
describe EXTERNAL_DOMAIN e-mail from external domain
score EXTERNAL_DOMAIN 0.1
In the tk_barrydegraaff_sa that got renamed to external_sa_alert the main changes that need to be made are
add this line which if it sees the EXTERNAL_DOMAIN header with value of .1 we assigned will display the yellow banner.
(msg.attrs['X-Spam-Status'].indexOf('EXTERNAL_DOMAIN') > 0)
and remove all these lines
(msg.attrs['X-Spam-Status'].indexOf('URI_PHISH') > 0) ||
(msg.attrs['X-Spam-Status'].indexOf('FREEMAIL_FORGED_REPLYTO') > 0) ||
(msg.attrs['From'].indexOf('=0D') > -1) ||
(msg.attrs['From'].indexOf('=0A') > -1) ||
((msg.attrs['From'].indexOf('=00') > -1)) || //mailsploit
(msg.attrs['X-Spam-Status'].indexOf('FROMNAME_SPOOF') > 0)
To make the change to the existing yellow banner this is what I changed
this is what is in the tk_barrydegraaff_sa
alertmailTxt + '
I will zip up the changes I made and make available for anyone else that may want to do this. This alert is only available in the web client and not from any other mail client. I'm looking into using postfix to see if I can add [EXTERNAL] to the subject as well.
I still use the tk_barrydegraaff_sa module for its intended purpose but added some custom rules to check from CEO name spoofing, attempts that pretend to be admin, human resources, or even attempts that put domain name in the display name field and tag those with a higher score. I will put this in a separate article in case anyone finds it useful.