Stop phishing by setting an e-mail sender policy

Email is a good way for hackers to gain passwords and spread malware. A commonly used technique is phishing, by which the end user is tempted to click on a link, open an attachment, etc. This fake mail can look very real if the sender seems to be a colleague or manager. Many people do not know that the mail address that is visible as the sender in the mail message is not linked to the one who actually sent the mail. They think, therefore, that the sender at the top of the message is the true sender. However, the message can display any address the attacker chooses. What makes it worse is that the real sender\’s mail address is not shown.

What can you do?

To prevent abuse of email addresses, a set of measures is available. Together they provide:

  • Improved detection of phishing.
  • Visibility on abuse of mail from your own domain.
  • Improved deliverability of your own mail.

E-mail security features

With 'authenticated e-mail' this can be counterpaned. An e-mail policy specifies which mail servers may send mail on behalf of the organization. In addition, it is indicated what should be done with mail sent by an unauthorized mail server: pass through, mark as "suspicious" or even block. Technically, the mail policy is arranged through a combination of protocols, namely SPF, DMARC and DKIM. See here for an explanation

Detecting phishing

The mail server can detect that mail messages originate from a mail server that does not belong to the corresponding sender domain. Subsequently, the mail can be blocked, or passed with label 'suspicious'. If properly implemented, then the user will see a big warning bar at the top of the mail message.

  • SPF (Sender Policy Framework)
    • The DNS server contains an SPF-record that specifies which mail servers may send mail on behalf of this domain. In addition, a policy must be set (block, mark as suspicious, pass). See OpenSPF.
    • An example of an SPF-record is:
      ‘v=spf1 mx a:mailserver.mydomain.com –all’
  • IDS (Intrusion Detection System)
    • Scan incoming mail traffic for suspicious senders and content.
  • AV (Anti-Virus) on the workstation
    • In case that an end user clicks on a malicious link, the AV-solution kan signal this and block further events.
  • Phishing-tests
    • Make users more phishing-aware and train them in recognizing it.

Keep an eye on abuse of mail from your own domain

To find out if email addresses of your home domain are abused by third parties, reports from Internet Service Providers can be useful.

  • DMARC (Domain-based Message Authentication, Reporting & Conformance)
    • In the DNS-server it is stated which reports you’d like to receive. See DMARC.org.
    • An example of a DMARC-record is:
      v=DMARC1; p=none; rua=mailto:dmarc@mydomain.com; fo=1

Improve deliverability of your own mail

On one hand, the mail can get a higher level of trust if it is determined that it has been sent from the correct mail servers. On the other hand, it is important that the mail server is not known as 'spam server'.

  • Monitor spam-blacklists
    • A domain can become registered on spam-blacklists for various reasons. Check the cause and solve it.
  • DKIM (DomainKeys Identified Mail)
    • Digital signing all outgoing e-mail on behalf of the domain increases trust in the sender, thereby lowering the chance of the email ending up in the spam box.

SPF in practice

From personal observation (Q2 2017) it appears that roughly 2 out of 3 domains have a SPF record. It\’s common for organizations to create spf records for their main domains, which are mostly used for mail. Less important domains often lack SPF-records. However, the latter can also be misused for phishing. The spf-policies ‘~all’ and ‘-all’ are both widely used, ratio is 50/50. Furthermore, the SPF implementation rate is much higher than that of DMARC: DMARC is only implemented at 5% of the domains.

SPF effectiveness test

I've done a short test to see if SPF is effective in practice. For this, I've spoofed emails from domains with different SPF policies, sent this mail to a number of addresses with different mail providers, and checked the final result in the mailboxes. The test cases were:

-all with specification of mailservers:

  • Spf-policy with -all (Fail).
  • Testcase: Sending mail server is not authorized for this domain
  • Expected behavior: Mail is blocked

-all with null-policy: this domain is not sending e-mail:

  • Spf-policy with -all (Fail).
  • Testcase: Mail is sent by a domain that does not send e-mail.
  • Expected behavior: Mail is blocked

~all, spoof of external domain:

  • Spf-policy with ~all (SoftFail).
  • Testcase: Sending mailserver not authorized for this domain
  • Expected behavior: mail is passed through, with label ‘suspicious’.

~all, spoof of home domain:

  • Spf-policy with ~all (SoftFail).
  • Testcase: Sending mailserver not authorized for this domain
  • Expected behavior: mail is passed through, with label ‘suspicious’.

?all:

  • Spf-policy with ?all (Neutral).
  • Testcase: Sending mailserver not authorized for this domain
  • Expected behavior: mail is passed through, the policy allows it.

Testresult

The table shows the result. The green marked boxes are in accordance with expectations, the yellow and orange deviate.

Test results SPF

Conclusion

  • Many SPF-records have references to SPF-records from other domains. The least strict policy of all records is what ultimately applies. Thus, if there is a record with an ‘?all’- policy, the result is that all mail servers (worldwide) are allowed to send mail on behalf of this domain
  • SoftFail (~ all) usually does not work unless it is a spoof of the home domain. In most cases, however, there is no effect.
  • A HardFail (-all) still has the most effect on blocking email, although this block is certainly not applied everywhere.
  • The results with SPF records are still unpredictable. The expectation is that when SPF and DMARC implementations become more common, they will become more uniform and will have a more predictable effect. A complicating factor is that when DMARC is used, the SPF policy is overruled. The best chance ofeffect is when strict policies are used.

More information

The Internet Security Scan report shows the scores of your mail domains in terms of deliverability, prevention of mail spoofing and detection of abuse. The NCSC (National Cyber ​​Security Center) advises to implement SPF, DMARC and DKIM and explain that in this publication (dutch).

Next: 10 security things to agree with your supplier