<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Anti-Spam & Phishing Checklist

Topics: Phishing, Malware, Email Security, Email Filtering, Spam

Posted: 27 September 2017

Anti-Spam Phishing Checklist Mail Filters Switched On Email Security

Email is unwaveringly consistent in upholding the theory of equal opposites. On one hand, it has enabled businesses to flourish in the electronic age with cheap and easy communication thus making it the default method of message exchange, however on the other, that direct-to-user route has meant that it remains the number one infection vector of choice for malware and phishing attacks since the 90's.

There are very few organisations (hopefully none) who don't use some form of email filtering solution to remove potential threats. There are countless offerings; some free and others with price tags reflective of the updates and additional services they can provide. In all cases, the industry has had much practice over the years in combatting these threats.

Yet still, email remains the choice of infection for most cybercriminals. One contributing factor could be that there remains an air of mystery around malicious email detection techniques, resulting in some email filtering solutions being poorly configured or possibly never updated.

Anti Spam & Filtering Checklist: Must-Have Detection Techniques

Below is a list of the must-have methods used to detect malicious emails. Ideally, your email filtering solution should employ all these techniques to keep detection rates at their highest possible levels.

  • - Blacklists - Nice and easy, blacklists are a list of IP addresses and domains which are known to send malicious emails. To keep these lists up to date, there is normally some form of subscription to keep the feed open. However, there are some free alternatives, for example SpamHaus Zen who only require a fee if a large number of queries are performed per day.

  • - Reverse DNS Lookups - When an email server is being asked to receive an email, it looks up the DNS MX record of the sending server which contains the sending email server's host address. Performing a reverse lookup on the IP address of the sending email server should reveal the same host address; if not, this could be an indicator of an email server being used for malicious purposes.

  • - SMTP Banner Verification - When two SMTP (Simple Mail Transport Protocol) email servers connect, they identify themselves to each other using their configured hostnames in their respective SMTP banners. If they do not match their corresponding DNS MX records, it can be assumed that the sending server is unaware of it being used to send spam from that domain. This could just be poor configuration; however, it could also indicate a hijacked email server.

  • - Anti-Virus and Sandboxing - It is very unusual today to attach malware directly to an email. Despite this, it's cheap and cost effective to ensure all emails are scanned for known signatures and in cases where there is no positive reaction, then files should be detonated in a sandboxing environment. More common today is to entice users to click on URL hyperlinks in the email body. This can get around email scanning, as the malicious code is not present in the email itself. Good email filters will include a URL following technique which can also scan the destination of any hyperlinks in the email.

  • - SPF (Sender Policy Framework) Records - SPF is a DNS record in the sending host domain which lists all email servers which can send emails from its domain. Recipient servers can query this list and compare it to the sending email server address to ensure it is permitted. Those that aren't could be malicious and should be dropped. SPF is a simple technique to prevent domain spoofing but is surprisingly uncommon.

It's not all Black and White with Email Security

In the real world, even legitimate email servers lack some of the records and validation steps mentioned. It would be foolish to block anything that fails just one of these techniques and instead would be better if used in combination. Most good mail filters will provide a quarantine function allowing your users to access those emails which fall between black and white, albeit in a controlled environment.

All the techniques listed above can be used to weed out potential malicious email servers connecting and sending emails to your users, but they can also be used in reverse to decrease spam profilers detecting your email as spam.

If you have had issues with your partners, customers and contacts finding your emails in the spam folders, you should also look at some of the above techniques and consider how they can be used to not just prevent, but also validate your online email identity. After all, email is not just an attack vector, it's also how you distribute your marketing messaging, quotes and purchase orders. Balancing security and operations is the challenge which can be answered using the same means.

Get free 30 day trial GFI MailEssentials

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts