By Shahzad Subhani
Introduction: The Purpose of this article is to provide a simplified version of email attack types. This is the second article of my series on Email Security. You can read the first article on Email Security basics.
The following are different types of Email Attacks.
- Email Relaying
- Spam/Unwanted Emails/Marketing Emails/Newsletters
- Malware (Viruses/Worms/Trojans/Spyware/Ransomware)
- Spoofing (People Sending you emails from Spoofed Domains)
- Phishing/Spear phishing
- Impersonation ( Other People sending email on your behalf)
- Dos/DDOs (DoS stands for Denial of Service)
Let’s talk about each of them briefly.
Email Relay means Sending Emails through an SMTP Server. Email Relay becomes an attack if the attacker uses your SMTP Server to relay emails to another Domain, without your knowledge. This used to be a very common attack in the early days of SMTP and worms OR Trojans using misconfigured Company Servers to send emails. However these days most servers are Configured and well protected by default.
Email Relaying Example
Go to Mxtoolbox.com and do an Mx lookup for any domain e.g. gmail.com.Click on SMTP Test. Mxtoolbox Servers will try to test the Servers and give you this kind of report. Try this for any other domains as it is public information.
Here are more details on what actually happened in the background. You can see that the MX Toolbox Server tried to send an email to another domain (Instead of gmail.com) and it was rejected as Gmail will only accept emails which are sent to Gmail.com.
Email Relaying Prevention Tips
In order to prevent email relaying, you should configure your Email Server/Gateway to receive Incoming Emails only for your Domains. For outbound Emails, only allow authorized IP Addresses to relay emails. Also, port 25 access to the email gateway OR email server should be given to selected IP addresses only.
- Any Kind of Promotional, Unwanted Email, or Marketing Email is considered as Spam. The most common example is drug-related spam
- Every Organization receives and blocked hundreds of Spam emails every day
- People use a corporate account on different sites, Their Email addresses get stolen and then used by spammers /Newsletters Spam
- Emails with too many graphics or Short URLs are also classified as Spam by many Email Gateways
Practical Tips to Prevent Email Spam
- Always keep looking for False Positives as some good emails are marked as spam as well. Such domains or senders can be whitelisted.
- Block all emails from Google Groups or other Mailing lists as people should not use corporate accounts for mailing lists
- This is a very Common Attack. Normally executable files are sent over email OR malicious links are sent in email bodies and the user is enticed by subject OR keywords to click on it.
- Executables extensions are changed to doc or xls or anything benign
- Excel OR word documents are sent with hidden malicious macros in it
Email Malware/Ransomware Prevention
- End-user should think twice before clicking on a link especially if he is not expecting such an email
- Always block Executables however time executables extensions are changed to doc or xls or anything benign. Email Gateways that identify True File Type can detect and Block Such Emails.
- If your Email Gateway Supports, remove macros OR any codes from incoming PDF, Word and Excel Files. In Symantec Messaging Gateway, they provide such an Option under the DISARM feature.
- Emails with URLs can sometimes skip through if the email gateway is not able to check the URL however these days email gateways provided you with the option to disable any URLs in the email body. This is a good safe option and should be used.
- Additionally, a big organization also needs to add another layer of sandboxing in order to prevent zero-day attacks or targeted emails with malicious attachments.
- User Awareness is very important and they need to think twice before clicking on a Link especially if they are not expecting such an email.
- A Spammer/Attacker sends an email that has been manipulated to seem as if it originated from a Trusted Source.
- To put it simply, People are sending your email from combat it appears to you as gooddomain.com
- Spoofed email can be used to get the user to click on a link OR an email from CEO to a CFO asking for an Urgent Wire Transfer. Just search about BEC (Business Email Compromise) attacks. These are very common attacks and some organizations have suffered from them.
- Spoofing is done to hide the real identity of the attacker and is mostly used as part of a Phishing attack
- Phishing occurs when an attacker sends a fraudulent email disguised as an authorized and trusted source. The intent of the email is to get personal or financial information OR trick the recipient into installing malware on his/her device.
- EHLO name is different however FROM, REPLY-TO and RETURN-PATH are spoofed and the User Email Client shows the Spoofed FROM address.
- Spear phishing is a highly targeted phishing attack.
- Phishing and Spear phishing both use emails to reach the victims. However, Spear-phishing sends customized emails to a specific person/organization and the criminal researches the target’s interests before sending the email
- In some real-world scenarios, some organizations OR their employees are hacked and then emails are sent from those organizations to their Partner Organizations. Due to email coming from a trusted organization, the Chances of clicking on a link OR opening an attachment are very high.
Email Spoofing Example
- This is an email spoofing example and you can see that it was not blocked by Gmail however they did add a question mark but how many people will notice that.
- For those who want to try, It was Sent via https://emkei.cz. You can do a google search on Online Email Spoofing and try some yourself.
Email Spoofing/Phishing Prevention Tips
For Inbound Traffic, Configure your Email Gateway to check for the following
- Use Local/Global IP Reputation Lists to block or defer at the connection level
- Use DNS Validation and Reject connections for IP Addresses which do not have Reverse DNS Record
- You can also Reject connections where the reverse DNS record exists for the connecting IP address, but the ‘A’ or ‘AAAA’ record of the resulting domain does not match the connecting IP address
- Check if EHLO/HELO Name is real OR fake by checking if the domain provided at HELO and EHLO has neither an ‘A’, nor an ‘AAAA’, nor an ‘MX’ record in DNS
- Reject messages where the domain provided in the MAIL FROM address has neither an ‘A’, nor an ‘AAAA’, nor an ‘MX’ record in DNS
- Configure Spoofing checks if there is a mismatch between Envelope Sender (MAIL FROM) and FROM Address. Envelope Sender is the address used at Email Handshake Level ( MAIL FROM)
Most Mailing Lists used different Envelopes Sender and FROM. You need to start making exceptions else they will be blocked as Spoofed emails.
Caution: DNS Checks at handshake level can impact System Performance so you need to find a good balance.
- Email Impersonation means abc.com sending emails to someone.com as xyz.com.
- This is happening out of your Network so you don’t have much control however there is a way.
Email Impersonation Prevention Tips
- Incoming Emails should be checked for SPF and DMARC Failures and they should be blocked or tagged.
- Impersonated emails to other organizations can be prevented by adding Trust to your Outgoing emails
- Trust can be added to the Organization’s outgoing emails by using a combination of SPF, DKIM and DMARC.
Email DoS/DDoS Attacks
- An Email DoS Attack means that attackers send you so many emails that your Email Servers are not able to handle the load and crash. As a result, you should not be able to receive any legitimate business emails.
- Such Attacks can be used to cause business/reputation Loss especially if the organization’s business is conducted via emails
- These attacks are not very common however there is still a possibility •
DoS/DDoS Attacks Prevention Tips
Such Attacks can be easily prevented by following
- Limit the number of maximum connections to be handled by your MTA
- Limit number of connections per IP Address
- Limit the number of recipients for each email
- Limit the number of messages/emails sent in one session
- Define a queue size and defer connections when your inbound queue is full
- Use Local/Global IP Reputation Lists to block or defer connections at the connection level
I hope that you will find this article useful. I have made a detailed video on this. You can check out this Email Attacks Video.