Skip to main content
Skip table of contents

Detect SMTP Domain Mismatch

This example can detect SMTP messages where the domain in the email address of the sender does not match the domain of the SMTP server sending the email. This might be a sign of a phishing attack, though additional indicators may be needed to confirm.

For Example:



function Flow_SMTPDomainMismatch (dpiMsg, ruleEngine)
  -- get/verify application SMTP
  local app = GetLatestApplication(dpiMsg)
  if app == "smtp" then
    -- get/verify sender domain
    local sender_domain = GetString(dpiMsg, "smtp", "sender_domain")
    if sender_domain ~= nil and sender_domain ~= '' then
    sender_domain = string.lower(sender_domain)
      -- get/verify sender email
      local sender_email = GetString(dpiMsg, "smtp", "sender_email")
      if sender_email ~= nil and sender_email ~= '' then
        -- parse/verify/save the domain from sender email
        local sender_email_domain = string.sub(sender_email, string.find(sender_email, '@')+1, string.len(sender_email))
        if (sender_email_domain ~= nil and sender_email_domain ~= '') then
        sender_email_domain = string.lower(sender_email_domain)
        SetCustomField(dpiMsg, "sender_email_domain", sender_email_domain)
          -- check if sender's real domain matches their claimed domain (exclude gmail)
          -- alarm on mismatch
          if not string.find(sender_domain, sender_email_domain, 1, true)
          and not string.find(sender_domain, 'gmail')
          and not string.find(sender_domain, 'google') then
          SetCustomField(dpiMsg, "sender_domain", sender_domain)
          SetCustomField(dpiMsg, "sender_domain_mismatch", 'true')
          TriggerUserAlarm(dpiMsg, ruleEngine, 'medium')
          EZINFO('domain mismatch, sender domain: '
          .. sender_domain .. ', email domain: ' .. sender_email_domain
          .. ', UUID: ' .. GetUuid(dpiMsg))
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.