Display Name Detection

Updated 10 months ago by admin

This article explains how you can create a rule to detect unusual patterns in the display name; the area that shows who sent the email in most email clients.  For example, some spammers will try and confuse filtering systems by using your real domain name inside the display name to try and convince the recipient the message is internal or genuine. 

To set up the rule:

  1. Navigate to Products, Email Security and click Custom Rule Data.
  2. Click the New and then Rule RegEx option.
  3. Enter a meaningful name for the rule data, such as Display Name Detection.
  4. Craft a suitable regular expression to detect your domain name(s) in the From header and Save the new rule data entry. The following example assumes your domain name is acme.com.
From\:.{1,20}acme\.com

You can specify any type of pattern, for example if you prefer to detect based on a keyword e.g. IT-Admin

From\:.{1,20}IT\-Admin

You can include multiple entries separated by the pipe | character:

From\:.{1,20}acme\.com|From\:.{1,20}IT\-Admin|From\:.{1,20}acme\.co\.uk
Regular Expressions in Custom Rule Data should not be wrapped by forward slashes. Remember to escape reserved characters.
You can use an external tool such as Regex 101 to test your patterns.
  1. Navigate to the Message Rules section.
  2. Click the + icon to add a new rule.
  3. Enter a meaningful name for the new rule, such as Display Name Detection.
  4. Add or drag the Direction tile into the Conditions column and configure it to use Inbound value.
  5. Add or drag the Header Exists tile into the Conditions column and configure it to use the Match option and select the rule data saved in step 4.
  6. Add or drag the Add to Spam Score tile into the Actions column and configure it to set the value 145.
Based on default rules, using a spam score of between 101-140 will result in the email being quarantined and included in the spam digest. Using a spam score of 141 or above will ensure the message is sent to the company quarantine and only available for administrators to review and release. Safe lists are excluded by default with this option.
  1. Click Save.
  2. Drag the new rule to above Confirmed Phishing or Confirmed Spam to activate it in your mail flow.

The completed rule should look like this:


How did we do?