Introduction
In order to help people avoid being tricked about the sender of an email, from 2nd May 2017 we started filtering out the display name from email From: fields in email originating from outside the University.
This measure is not being applied to email from UK academic sites and other trusted, well regulated email domains that are heavily used. This list of exemptions initially includes the following top level and second level domains.
.edu, .gov.uk, .ac.uk. .ja.net, .edu, .gov
This list is likely to be modified if more such domains are identified. If you have one that you consider should be on the list, please contact the IT Service Desk.
What is being done
The From: field in an email header consists of two parts, a display name and an email address. For example
From: Winston Smith <W.Smith@brotherhood.org.oc>
The display name is Winston Smith which is followed by the email address, W.Smith@brotherhood.org.oc. The address is in angle brackets at the end of the From: field. Once the display name is removed, the From: field will appear as follows.
From: W.Smith@brotherhood.org.oc
The original From: field will be removed, but the content of this field will be added to the email headers as an X-header. An X-header: is an email header field just like From: or Subject: but is not normally displayed by the program you use to read your email.
The display name is normally enclosed in quotation marks, followed by the email address in angle brackets. However, most email programs remove the quotation marks so the separation of display name and email address is not always clear.
Why is this being done?
Misleading display names are being used to trick people into thinking email is from a different sender from the actual sender. This has happened a lot recently with email spreading malware with emails pretending to come from parcel companies such as DHL, UPS and Royal Mail.
We advise people to look at where email has come from and whilst a correct address does not guarantee that an email is genuine, an incorrect one guarantees that the email is bogus.
For example, consider the two addresses on emails, one from a from a parcel company Parcelagogo and one from a malicious mailer pretending to be from Parcelagogo
From: Parcelagogo email deliveries <deliveries@parcelagogo.com>
From: Parcelagogo email deliveries <zingpa2033@gring.fahzi.in>
If your mail program displays the full from: field, you can easily see that the second one is definitely bogus (if you read to the end of the line).
However, people are increasingly using email programs that hide the address if a display name is present. In these cases, both addresses would display as follows:
From: Parcelagogo email deliveries
From: Parcelagogo email deliveries
It then becomes impossible for you to spot the obviously bogus email from the content of the From: field.
In some cases, a display name will contain a fake email address in angle brackets or other brackets, so that even if your mail program displays the sender email address it is easy to to be tricked into thinking that the fake email address is real.
For example
From: Parcelagogo email deliveries <deliveries@parcelagogo.com> <zingpa2033@gring.fahzi.in>
The email address at the end can easily be missed or hidden from view if using a small screen or reading the email in a pop-up window.
Because of the confusion caused and the number of people being misled by deceptive use of display names we decided that on balance we would remove them from any mail coming from top and second level mail domains that we did not have a high level of trust in.
Every time we remove a display name, the original content of the From: field is retained in one of the headers that is not normally displayed by email applications (X-BHAM-Origfrom:). Using the example above, the From: field becomes:
From: zingpa2033@gring.fahzi.in
The original content of the From: field is retained as follows:
X-BHAM-Origfrom: Parcelagogo email deliveries <deliveries@parcelagogo.com> <zingpa2033@gring.fahzi.in>
Should I Trust the sender address anyway?
The short answer to this is not entirely. However, in the sender address is obviously nothing to do with the person or company claiming to send the message you can be certain that the message is malicious.
If the address is correct, you should still take care in assessing the rest of the message. See our previous advice
https://blog.bham.ac.uk/itsecurity/2016/12/22/malicious-emails-and-how-to-spot-them/
You might question why we are doing this if scammers can easily fake any part of the From: field. This is because the display name is much easier to fake than the email address and exploitation of this is widespread and appears to be growing. Furthermore, we are seeing fewer faked email addresses, presumably because other controls applied to email are making this more difficult.
Potential Problems
We do not anticipate any major problems. The majority of email will be unaffected, and the email that is will not be affected in a major way.
The display name adds very little functionally and the action we have taken will make it easier for people to spot some types of malicious email. You still have the email address displayed and people generally add their names to the end of messages, so there should be no problem in seeing who messages are from.
If you are searching for emails from a particular sender affected by the change using the display name, this may no longer work because the display name will not be present in newer emails. In many cases the search will still work because the display name usually matches the sender’s name, which is likely to be present at the end of their emails. There are two ways to work around this issue.
One method is to search using the email address instead of the display name.
The other method is to use advanced search options to search all email headers for the display name. Because the display name will still be present elsewhere in the headers, the search will find the emails.
