Exim rewrite Subject line if Reply-To domain does not match From domain

eximspam

I would like to rewrite the subject line of all emails that contain a Reply-To: line with an email address in a different domain than the From: line. The reason for this is that I frequently get fraud emails that look like this:

From:     My Name <my.name@mycompany.com>
To:       billing@mycompany.com
Reply-To: thief@gmail.com
Subject:  Please urgently pay attached invoice
...

Outlook displays the "From: " information, which can easily be forged, but does not display the Reply-To: line per default. So the email does not look suspicious. If one replies the email is sent to thief@gmail.com, and the thief will of course make sure that the From: My Name header is again showed in the response. Some of these emails are so cleverly designed that people fall for it.

To prevent this, I would like to rewrite the Subject line to something like "[Potential fraud] Please urgently pay this invoice" if there is a Reply-To recipient which is in a different domain than the From sender.

How do I configure Exim to do this? Please advise.

Best Answer

This configuration prepends "[Potential fraud]" to subject if reply-to and From domains differ

exim.conf:

system_filter = /etc/exim/system_filter.conf

system_filter.conf:

if $h_reply-to matches "(@.+)"
and not $h_from contains "$1"
then
  headers add "Old-Subject: $h_subject"
  headers remove "Subject"
  headers add "Subject: [Potential Fraud] $h_old-subject (reply-to domain is $1)"
  headers remove "Old-Subject"
endif

I use a regex to extract the reply-to domain (if present) including the "@". The matching text needs to be in the from header to avoid the warning.

Note: The $1 regex backreference remains available for the subject rewrite

Related Topic