How to protect yourselves against “Email Spoofing”? DMARC?
The current news being Flipkart CEO’s email was spoofed and an email requesting to transfer $80,000 was sent to Flipkart CFO. This attempt didn’t succeed as the CFO did a call back to CEO to check the reason and then the case came to light and a major scam was avoided.
This isn’t something new and has been very prevalent since last few years, only thing I could say is the attempts are more common now and gaining some front page news. Also our inherent email technology has failed to safeguard the consumers against such attacks. Email servers today support such technology to avoid Email Spoofing, Phishing and SPAM, but the default configurations are set to “Disable”. Email systems being a foundation to any enterprise, small, medium or big, strong security process needs to be in place to secure the email infrastructure.
I came across many instances where the IT team is unaware of the simple configuration that is required to increase your defensive capabilities against such attacks and that too without any investment using the existing technologies available.
I would like to share the process to ensure you make your email infrastructure secure against such email spoofing and increase defensive mechanism against Phishing and SPAM, below are the technical steps that you could share with your IT team for implementation.
Three Simple steps to Nirvana:
- Enable SPF : Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques. SPF has to be configured through Domain/DNS control Panel.
- DKIM: DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain which is done using cryptographic authentication. DKIM has to be configured on the Email Server and Domain/DNS Control Panel.
- DMARC : Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport. It is thus intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. DMARC is specified in RFC 7489. DMARC is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the sender of an email to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email and how the receiver should deal with failures. Additionally, it provides a reporting mechanism of actions performed under those policies. It thus coordinates the results of DKIM and SPF and specifies under which circumstances the From: header field, which is often visible to end users, should be considered legitimate. DMARC settings give you option to Monitor, Quarantine and Reject the emails that are detected as Spoofed or SPAM. Follow below method to rule out any false positives. A conservative deployment cycle would resemble:
a. Monitor all.
b. Quarantine 1%.
c. Quarantine 5%.
d. Quarantine 10%.
e. Quarantine 25%.
f. Quarantine 50%.
g. Quarantine all.
h. Reject 1%.
i. Reject 5%.
j. Reject 10%.
k. Reject 25%.
l. Reject 50%.
m. Reject all.
Attempt to remove the percentages as quickly as possible to complete the deployment. DMARC has to be configured through Domain/DNS Control Panel.
Once all the three step configurations are completed, log on to www.dmarcian.com and create a free account and follow the configuration instructions.
In the dashboard, it will show you the status of the SPF, DKIM and DMARC. Any anomalies will be highlighted and a suggestion to reconfigure will be given.
You could choose the buy the paid subscription which gives you in depth analytics and other features.
It would be a huge support if you can like or share this article with your friends and colleagues to improve their defence mechanism and improve their email security infrastructure.
Cybersecurity Solution Architect | Trusted Advisor | Championing Cybersecurity Awareness & Strategy | Know Your Limits. Become Limitless.
8 年awesome sharing !! IT mail sever team generally forget these step
Global IAM Delivery Lead | 25+ Yrs in Cybersecurity | Strategist for Cost-Effective Security
8 年End user education is key, technology can only get that far.
Sales Leader | New Entrepreneur
8 年Email spoofing is just scratching the surface and is very basic... the more dangerous thing is sending an email from within the email server (by compromising the email server itself or simpler still the CEO's desktop with a simple phishing attack).... BUT... its very surprising to see that email confirmation is the process used for transfer of high value funds... not just in this case... but also in the case of Central Bank of Bangladesh and so many others... Unless, this process is improved with the use of technology to authenticate / validate the instructions that are issued to third parties, we will continue to see this type of frauds.
Information Security and Risk Management Leader | Board-Level Advisor on Information Security, Governance, Risk, Compliance and Privacy | CISO | CISM | CDPSE | CISA | Shaping Secure and Resilient Enterprises Globally
8 年Very informative article. However, some scamsters are getting clever. They are already thinking one step ahead. They create a temporary email id on a public email service (e.g. GMail) but change the display name to match the sender. So the filters defined here will validate that this is a genuine email from a GMail account but is actually a fake. Hence, I would recommend to always check before transferring any money or data.
Azure Principal Consultant | Azure MCT | MBA | ITIL Expert | TOGAF 9.2
8 年Very informative. Some times we forget the basics and keep on implementing the high end gadgets to protect our servers..