Part 5 of 15: Block Spoofed Emails
What Is It?
I’d love to say that every email that arrives in your inbox is full of joy and happiness, but that’s as likely as saying that every email is also from a genuine sender and is completely legitimate. Few things could be further from the truth. Email spoofing is a tried-and-true, favourite tactic of cyber criminals and often accompanies phishing, spear phishing, and whaling attacks on you and your organisation. With a little know-how, I could send out an email that looks like it came from the Prime Minister, my car dealership, or old matey next door. With a properly constructed message body, most would must look twice to tell the difference.
Organisations are catching up and we’re all getting a little smarter, but we all have moments of weakness and the reason spoofed emails persist is because they work. Like many other cyber-crimes, it doesn’t must have a high success rate to be profitable. We’re educating ourselves and our colleagues, yet the threat persists and will continue to persist. In addition to acting as the last line of defence by refusing to process spoofed emails, most of us can benefit from a little technical intervention.
By filtering out how many emails get through to you, we reduce the likelihood of something nefarious (ah…. that word again) happening. Notice I said “reduce” and not “eliminate”. Anyone that has an Outlook or Gmail account knows that a certain amount of filtering happens, and we must go clean out our “Junk Mail” folder now and then. Some corporate environments allow very few spam or spoofed messages through, but they do get through. With a false sense of security and blind trust in technology, we can still get ourselves into hot water.
There are a few extra things we can do to control the flow of nefarious messages
Where Do I Start?
Do you use email? Yes? Good, then this applies to you. There are some means by which we can control the flow of spoofed messages. Sender Policy Framework (SPF) is one method where the incoming message is verified as having originated from an authorised server. If it doesn’t line up, it’s denied. Sender ID works in a similar manner and verifies the sender’s email address is the same as the one displayed to the recipient. Domain Keys Identified Mail (DKIM) also verifies the domain is legitimate and leverages a degree of cryptography in doing so.
Domain-based Message Authentication, Reporting and Conformance (DMARC) allows domain owners, using a policy, to determine the action the recipient’s email server takes when it receives an email that fails an SPF or DKIM check. Fail the check, drop the mail. Sounds simple? Not quite. Care must be taken to avoid blocking legitimate email which is probably part of the reason this strategy doesn’t get used more often or is rated higher in the list of strategies.
Now that you have a rough idea about what you can do, you should probably consider what kind of emails you tend to deal with. If you get a lot of messages from few domains, it’s probably a straightforward implementation. If not, and they come from every corner of the planet, it’s probably going to take more planning.
Email filtering and blocking spoofed emails is a good place to call in the experts to help. Before doing that, getting as much detail as you can about your email usage and what tools are available is a good start. Do you use on premise, hosted, or cloud-based solutions? Depending on your service, what options are included in your offering? If you are entirely on premise, it’s all on you but if you use cloud-based email (or even hosted to some degree) you probably have email services and features you’re not using. Review your service agreements and support agreements. Failing that, pick up the phone and talk to your account manager and find out about what they are doing and what is available to you for spoofed email protection.
How do I make It Work?
A lot of the solutions rely on DNS, so make sure you have a DNS expert to help you with this. SPF, for example, uses a list of authorized servers for a domain published in the DNS records for that domain (in the form of a specific TXT record). Creating DNS records to authorise specific servers this way isn’t too complex, so perhaps investigate this. Before you start arbitrarily creating records, though, be sure to thoroughly vet any organisation seeking to send on your behalf – you don’t want to end up on a blacklist somewhere!
As for DKIM, it is also implemented via DNS but does have some cryptographic overhead, so you may need to call in some experts to assist if you want to go this route. The same goes for DMARC although it is built on top of SPF and DKIM, so get those other two in place first and working well before moving to DMARC. Properly designed, configured, and implemented, you should probably be able to cut down on spoofed email (and some of the other undesirable messages as well) Results may vary.
Since DNS has popped up a few times, it might be worthwhile looking into DNSSEC if you haven’t already, but that is a topic for another day. Manage your DNS records well otherwise it’s like getting directions to the place you don’t want to be.
Unless properly planned out, you could be causing yourself more pain than its worth. You could end up blocking legitimate email and allowing the wrong ones in, so be sure to do your homework first before implementing any type of email spoofing. If you’re reliant upon a cloud-based service, it’s probably a bit easier…. just make sure everyone is reading from the same page when you ask any type of anti-spoofing measures to be implemented.
Ghosts in the Machine?
Blindly trusting that our email filtering and control systems will control all the badness is a fallacy. Some are still going to get through the cracks and consider that if someone else on your trusted network is compromised, the filtering may not catch it as it is probably seen as trusted. Blocking spoofed emails should only be but one later in your defence in depth strategy; the last line of defence is the human one, so vigilance is mandatory.
Make sure that everything else is up to date. Your endpoint protection, your email servers, operating systems, and any other applications or filtering services that help you deal with your email. There is little point in blocking spoofed emails if the rest of the infrastructure is outdated and full of holes. Ideally, this strategy will be behind several other strategies, but I would encourage its inclusion in anything around email filtering.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock