Gmail Filters – How to Setup Filters Based on Header Information

gmailgmail-filtersphishing

A very persistent person(s) is continually spoofing a company employee's e-mail address with criminal intent. They attempt to e-mail other people in the company trying to trick them into believing the e-mail is coming from a co-worker. Each time they use a different "reply to" address. I've been trying to figure out a way to setup a filter in Gmail that trashes any spoofed e-mails that are not really authentic.

So the spoofed e-mails come from employee@OurDomain.com but the "reply to" field is alwayschanging@variousdomains.com. We can never stop them because they keep changing which e-mail they use in the "reply to". They even went as far as buying domain names very similar to ours so it would look real. They also tried calling so this goes beyond your average phishing. I contacted the registrar and had those cancelled as fraud but the e-mail spoofing continues.

My thought was setup a filter that is based on "has the words" but that only seems to apply to content the e-mail itself and not the header.

Is there a way to create a Gmail filter to filter e-mails based on the content in the e-mail header?

Or maybe I should take a different approach?

Gmail Advanced Search Reference:
https://support.google.com/mail/answer/7190?hl=en

Best Answer

You can use Google Script to search the Reply-To: field in the header and route messages to different folders if they do not match the domain in the From: field.

Here's a sample snippet for searching the Raw Header of a message via scripts.

function searchGmailByMessageHeader() {
  var threads = GmailApp.getInboxThreads();
  for (var t in threads) {
    var headers = threads[t][0].getRawContent().split("\r\n"));
    for (var h in headers) {
      if(headers[h].match(/Reply-to.*?DOMAIN_NAME/) {
      // DO SOMETHING
      break;
    }
  }
}

Also see: Advanced Gmail Filters with Apps Scripts

Related Topic