TN Media News - Technology

By Shahzad Subhani
Introduction: The Purpose of this article is to provide a simplified version of email attack types. This is the second article of my series on Email Security. You can read the first article on Email Security basics.
The following are different types of Email Attacks.

Email Relaying
Spam/Unwanted Emails/Marketing Emails/Newsletters
Malware (Viruses/Worms/Trojans/Spyware/Ransomware)
Spoofing (People Sending you emails from Spoofed Domains)
Phishing/Spear phishing
Impersonation ( Other People sending email on your behalf)
Dos/DDOs (DoS stands for Denial of Service)

Let’s talk about each of them briefly.

Email Relaying
Email Relay means Sending Emails through an SMTP Server. Email Relay becomes an attack if the attacker uses your SMTP Server to relay emails to another Domain, without your knowledge. This used to be a very common attack in the early days of SMTP and worms OR Trojans using misconfigured Company Servers to send emails. However these days most servers are Configured and well protected by default.

Email Relaying Example
Go to Mxtoolbox.com and do an Mx lookup for any domain e.g. gmail.com.Click on SMTP Test. Mxtoolbox Servers will try to test the Servers and give you this kind of report. Try this for any other domains as it is public information.

Here are more details on what actually happened in the background. You can see that the MX Toolbox Server tried to send an email to another domain (Instead of gmail.com) and it was rejected as Gmail will only accept emails which are sent to Gmail.com.

Email Relaying Prevention Tips
In order to prevent email relaying, you should configure your Email Server/Gateway to receive Incoming Emails only for your Domains. For outbound Emails, only allow authorized IP Addresses to relay emails. Also, port 25 access to the email gateway OR email server should be given to selected IP addresses only.

Email Spam

Any Kind of Promotional, Unwanted Email, or Marketing Email is considered as Spam. The most common example is drug-related spam
Every Organization receives and blocked hundreds of Spam emails every day
People use a corporate account on different sites, Their Email addresses get stolen and then used by spammers /Newsletters Spam
Emails with too many graphics or Short URLs are also classified as Spam by many Email Gateways

Practical Tips to Prevent Email Spam

Always keep looking for False Positives as some good emails are marked as spam as well. Such domains or senders can be whitelisted.
Block all emails from Google Groups or other Mailing lists as people should not use corporate accounts for mailing lists

Email Malware/Ransomware

This is a very Common Attack. Normally executable files are sent over email OR malicious links are sent in email bodies and the user is enticed by subject OR keywords to click on it.
Executables extensions are changed to doc or xls or anything benign
Excel OR word documents are sent with hidden malicious macros in it

Email Malware/Ransomware Prevention

End-user should think twice before clicking on a link especially if he is not expecting such an email
Always block Executables however time executables extensions are changed to doc or xls or anything benign. Email Gateways that identify True File Type can detect and Block Such Emails.
If your Email Gateway Supports, remove macros OR any codes from incoming PDF, Word and Excel Files. In Symantec Messaging Gateway, they provide such an Option under the DISARM feature.
Emails with URLs can sometimes skip through if the email gateway is not able to check the URL however these days email gateways provided you with the option to disable any URLs in the email body. This is a good safe option and should be used.
Additionally, a big organization also needs to add another layer of sandboxing in order to prevent zero-day attacks or targeted emails with malicious attachments.
User Awareness is very important and they need to think twice before clicking on a Link especially if they are not expecting such an email.

Email Spoofing/Phishing

A Spammer/Attacker sends an email that has been manipulated to seem as if it originated from a Trusted Source.
To put it simply, People are sending your email from combat it appears to you as gooddomain.com
Spoofed email can be used to get the user to click on a link OR an email from CEO to a CFO asking for an Urgent Wire Transfer. Just search about BEC (Business Email Compromise) attacks. These are very common attacks and some organizations have suffered from them.
Spoofing is done to hide the real identity of the attacker and is mostly used as part of a Phishing attack
Phishing occurs when an attacker sends a fraudulent email disguised as an authorized and trusted source. The intent of the email is to get personal or financial information OR trick the recipient into installing malware on his/her device.
EHLO name is different however FROM, REPLY-TO and RETURN-PATH are spoofed and the User Email Client shows the Spoofed FROM address.

Spear Phishing

Spear phishing is a highly targeted phishing attack.
Phishing and Spear phishing both use emails to reach the victims. However, Spear-phishing sends customized emails to a specific person/organization and the criminal researches the target’s interests before sending the email
In some real-world scenarios, some organizations OR their employees are hacked and then emails are sent from those organizations to their Partner Organizations. Due to email coming from a trusted organization, the Chances of clicking on a link OR opening an attachment are very high.

Email Spoofing Example

This is an email spoofing example and you can see that it was not blocked by Gmail however they did add a question mark but how many people will notice that.
For those who want to try, It was Sent via https://emkei.cz. You can do a google search on Online Email Spoofing and try some yourself.

Email Spoofing/Phishing Prevention Tips
For Inbound Traffic, Configure your Email Gateway to check for the following

Use Local/Global IP Reputation Lists to block or defer at the connection level
Use DNS Validation and Reject connections for IP Addresses which do not have Reverse DNS Record
You can also Reject connections where the reverse DNS record exists for the connecting IP address, but the ‘A’ or ‘AAAA’ record of the resulting domain does not match the connecting IP address
Check if EHLO/HELO Name is real OR fake by checking if the domain provided at HELO and EHLO has neither an ‘A’, nor an ‘AAAA’, nor an ‘MX’ record in DNS
Reject messages where the domain provided in the MAIL FROM address has neither an ‘A’, nor an ‘AAAA’, nor an ‘MX’ record in DNS
Configure Spoofing checks if there is a mismatch between Envelope Sender (MAIL FROM) and FROM Address. Envelope Sender is the address used at Email Handshake Level ( MAIL FROM)

Most Mailing Lists used different Envelopes Sender and FROM. You need to start making exceptions else they will be blocked as Spoofed emails.

Caution: DNS Checks at handshake level can impact System Performance so you need to find a good balance.

Email Impersonation

Email Impersonation means abc.com sending emails to someone.com as xyz.com.
This is happening out of your Network so you don’t have much control however there is a way.

Email Impersonation Prevention Tips

Incoming Emails should be checked for SPF and DMARC Failures and they should be blocked or tagged.
Impersonated emails to other organizations can be prevented by adding Trust to your Outgoing emails
Trust can be added to the Organization’s outgoing emails by using a combination of SPF, DKIM and DMARC.

Email DoS/DDoS Attacks

An Email DoS Attack means that attackers send you so many emails that your Email Servers are not able to handle the load and crash. As a result, you should not be able to receive any legitimate business emails.
Such Attacks can be used to cause business/reputation Loss especially if the organization’s business is conducted via emails
These attacks are not very common however there is still a possibility •

DoS/DDoS Attacks Prevention Tips
Such Attacks can be easily prevented by following

Limit the number of maximum connections to be handled by your MTA
Limit number of connections per IP Address
Limit the number of recipients for each email
Limit the number of messages/emails sent in one session
Define a queue size and defer connections when your inbound queue is full
Use Local/Global IP Reputation Lists to block or defer connections at the connection level

Conclusion
I hope that you will find this article useful. I have made a detailed video on this. You can check out this Email Attacks Video.

TN Media News

PCB writes to 27 leading departments

The Head of Religious Affairs emphasizes the significance of the Kaaba and purifying it in accordance with the principles of Islam under the wise leadership.

Saudi energy giant Aramco announces $1.5bn sustainability fund.

Lt Gen (retd) Tariq Khan refuses to head commission formed to probe ‘threat letter’: sources

Quetta Gladiators Seal Thrilling Victory Over Islamabad United in PSL Showdown.

China Pakistan Economic Corridor (CPEC): Bridging the Gap in Regional Connectivity and Shaping the Geopolitical Landscape of Asia.

Book Launch Ceremony for “Building a Community with Shared Future: A Hope for Mankind held at Xining, China.

Pakistan Army Rescue Operation

Pakistan Physical Disability Cricket Team Announces 20-Member Squad for Training Camp Ahead of Champions Trophy 2025.

Japanese delegation calls on IT Minister Syed Amin Ul Haque.

WPCA GRAND FINALE AWARDS CEREMONY OF MAY 27, 2022

Capacity Market contracts awarded to more than 2GW of battery storage in UK and Italy

Discover

About

Subscribe to Our Newsletter