blocking phishing spam from a fake domain with just one letter different from our domain.

We use GFI Mail Essential, a few interesting spams from the same spammer passed all spam filter and delivered to our financial controller. I posted the email at the bottom of this. Basically the spammer created a fake domain and actually registered (even paying and doing home work for this spam), and sent an email to our financial controller to wire money. The sender name is the same as our president and the email address is just one letter different with our domain name.
I guess the spammer actually did some lInkedin search to find our company management list then created a domain adding 'i' and created email server account and all the hard works to send this spam.

So technically this domain and email server is legit and will pass our GFI Mail Essential spam filtering such as SPF check, DNS & phishing database since it's new domain, etc.

How can I block this type of emails from  a  domain which is technically all legit, never has been in any spam database, but just one letter 'i' is different from our domain name?

Process a wire for $207,398.49 to the attached instructions now, code to admin expenses. Confirm when you have it sent.


-------- Original Message --------
Subject:               (no subject)
Date:     2014-08-14 16:11


Per our conversation, attached is the wiring instructions for the payment. Let me know when done.


X-Antivirus: AVG for E-mail
Microsoft Mail Internet Headers Version 2.0
Received: from ([]) by mail.COMPANY_DOMAIN with Microsoft SMTPSVC(6.0.3790.4675);
                Thu, 14 Aug 2014 10:21:14 -0400
Received: from (b-bigip1 [])
                by (Postfix) with ESMTP id 57116D39D6
                for <COMPANY_CFO_NAME_UPN@COMPANY_DOMAIN>; Thu, 14 Aug 2014 14:21:14 +0000 (UTC)
X-Spam-Summary: 30,2,0,,d41d8cd98f00b204,,:,RULES_HIT:41:152:355:379:582:602:800:871:960:962:973:988:989:1000:1152:1189:1260:1313:1314:1345:1381:1433:1434:1437:1516:1517:1518:1541:1566:1571:1575:1589:1594:1711:1714:1730:1764:1776:1792:2197:2198:2199:2200:2527:2528:2557:2559:2562:2909:3138:3139:3140:3141:3142:3653:3769:3865:3867:3871:3872:3873:4321:5007:6117:6119:6261:6264:6291:6506:6618:6663:6668:6669:6678:6747:6748:7281:7576:7802:7875:7903:8603:9007:9009:9545:10004:10214:10229:10394:10400:10402:10407:10482:10848:11473:11604:11658:11914:12043:12049:12166:12340:12517:12519:12555:12740:13095:13139:13848:14036:14096:19901:19997:21080,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:none,Custom_rules:0:0:0
X-HE-Tag: lift01_ab83d633b42c
X-Filterd-Recvd-Size: 229603
Received: from (imap-ext [])
                (Authenticated sender:
                by (Postfix) with ESMTPA
                for <COMPANY_CFO_NAME_UPN@COMPANY_DOMAIN>; Thu, 14 Aug 2014 14:21:13 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/mixed;
Date: Thu, 14 Aug 2014 16:21:13 +0200
Subject: Fwd: (no subject)
Message-ID: <>
User-Agent: Roundcube Webmail/1.0.1
X-Originating-IP: []
X-OriginalArrivalTime: 14 Aug 2014 14:21:14.0882 (UTC) FILETIME=[0185BE20:01CFB7CB]

Content-Type: multipart/alternative;

Content-Transfer-Encoding: 7bit
Content-Type: text/plain

Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: base64
Content-Type: application/pdf;
Content-Disposition: attachment;

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Even if this domain is legitimate from a spam filter point of view, you can still block it from your mail server because its domain name is different from yours; whether by one character or ten characters is irrelevant.

I don't know the policies of your organisation, but you can block this dodgy domain at the server, or presumably you can tell GFI Mail Essentials to treat all mail from that domain as spam based purely on its domain name rather than its content.

You could also do a Whois lookup to find out where the domain is being hosted, although you'll probably find that it's somewhere where the forces of law and order are a bit thin on the ground.
Svet PaperovIT ManagerCommented:
Short answer: you can’t. Even if you block one, this won’t stop the attacker to create and use a new one.

Your user is subject of targeted social engineering attack. This kind of attacks cannot be stopped by technical means. The only way is to educate the users to distinguish legit mail from a fake one.

If the environment is very sensible, you could opt-in for mail encryption and digital signatures.

As a workaround, while looking for a long-term solution, you could create mail rules for the targeted user to flag the good e-mails.
Svet Paperov is correct in what he says; I omitted to say that the procedure I outlined above would have to be repeated for every new attack using this technique, which needless to say will become quite tiresome.

The price of freedom is eternal vigilance...
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

crcsupportAuthor Commented:
I blocked the domain, so the spam will not come to our company. But there are two concerns.

1. What if they create domain with a different letter, ex) and fake domain is

2. I also concern if the spammer uses the fake domain with our clients or any entity in public representing our company.

For this reason, I submitted the case to the fake domain registrar to see how they handle it.
also, we have to look into the process of how we communicate with our clients for sensitive information.

I wonder if any of you encountered this type of phishing email solely targetting a specific business entity and how you handled it.
crcsupportAuthor Commented:
Is there any technology that can tell our clients if the email is actually from us, not from this fake domain?
Human beings are still better than technology at detecting fraudulent emails, but only if those human beings are educated and alert. You caught this attempt at fraud before it did any damage; your customers should be just as alert.

However, you might want to advise your clients of this nearly-your-domain threat, and any subsequent ones, as the possibilities for damage to the company/client relationship are substantial if you don't. If the cybercriminals can't fool you into parting with money they might settle for trying to ruin the company's reputation instead.
crcsupportAuthor Commented:
I agree manual inspection is still better filtering spams, but sometimes, you made mistake and later you found it's wrong, but it's too late to get back  the sent email with my credit card information. This can happen to our clients even though we alert them.
So, I wonder if there's any email technology available to verify if the email our clients receive is actually from us.
Is there any email technology other than just creating a signature in outlook or using company template word document with a company letter head?
Svet PaperovIT ManagerCommented:
All banks and other financial institutions have this problem with their clients. The only thing they can do is to communicate each major thread and educated the clients no to respond to suspicious e-mails.

The register might or might not do something but this is a never ending game.

Your best strategy will be digital signing and encryption even with your clients.
If there is I'm not aware of it. However, by advising your clients of this spurious domain (and any others like it) they can block emails from it with their own filters. Not a perfect solution, I agree, but a whole lot better than saying nothing and waiting for the fertiliser to hit the fan.
crcsupportAuthor Commented:
Svet Paperov,
can you give me links to digital signing and encryption service? I don't know what it is.
crcsupportAuthor Commented:
For Digital ID,
I guess it's only for Outlook users for both sender and recipient.
Svet PaperovIT ManagerCommented:
Symantec Digital ID is an example but there are other solutions as well.

More about securing e-mail in Outlook 2010 with S/MIME or via OWA   

Unfortunately, I cannot advise you further because I don’t have particular experience with those technologies except for receiving encrypted e-mails from time to time (may be until the moment when our organization becomes a victim of a similar attack).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
crcsupportAuthor Commented:
OK, thanks.
I will keep this post for a while and see what others do to verify sender to recipient.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.