Spam and its targeted mission to phish are active and causing havoc still, in 2021. Are your domains and email server secure? Are you thinking about counting each employee as a vulnerability? Sounds harsh, but you need to.
According to a 2019 Verizon report, 90% of confirmed phishing email attacks took place in environments that used Secure Email Gateways (SEGs). How secure are you, really?
Being able to consistently block spam before it reaches your users’ inbox is critical to stopping phishing, and therefore a key component of solid network security.
So if more filters are better, which ones should I apply?
No one solution catches everything. Employ multiple layers of filtering to detect spam and phish. Make disposition decisions; like reject, drop, or bulk folder, as early as possible in the receipt cycle as possible. Review our guide, because you might be surprised, in that you may not think of some of these as email filters, but they are!
1. Your first filter is your connection rate limits
A connection rate limit is an inbound filter, which prevents an attacker from attempting to bring down your email service through spam floods and Denial-of Service (DoS) attacks.
The number of connections to your SMTP server should conservatively consider your server hardware (memory, NIC bandwidth, CPU, etc.) and its nominal load each day.
The settings for connection limits are:
- number of connections
- number of simultaneous connections
- maximum connection rate
When you set these, remember you aren’t an ISP, and the only senders who will likely want more connections are those sending newsletters are marketing emails, so keep your numbers conservative. These settings may require refining over time.
2. Configure your mail relay settings
Configure mail relay options carefully to avoid having your server unintentionally become an open relay, allowing spammers to relay spam through your mail server. Settings for relaying mail should always include the IP addresses and domains allowed relaying email should be intentionally restrictive.
3. Install a suite of real-time DNS Blocklists (DNSBL) in your mail server
Since DNSBLs are a suite and are designed to work together, for maximum coverage, install a suite from one or two trusted providers (like Abusix), but don’t cherry-pick pieces from both suites; make sure one is complete because a good suite will block over 99% of spam at the edge.
IP addresses
For your inbound mail, the blocklist will include IP addresses (available from the blocklist vendor as a single combined list) that block during the connection session, identified as spamming, compromised (infected), and that should not be sending mail to MXs.
For sending outbound emails, you want to use a different IP address blocklist designed to block users authenticating with your mail server attempting to send email from IP addresses identified as compromised. This is another list from the one used for inbound mail, as it uses a shorter TTL. Don’t use the same list for both inbound and outbound checks.
Domains
This blocklist will identify domains sending spam on IP addresses shared with legitimate senders. While an IP address may not be blocked, a specific domain on a single IP address will be blocked.
According to a recent study by PhishMe, 91% of cyberattacks begin with spear-phishing emails, and therefore email is the most vital system to protect. |
4. Turn on your local blocklists
Make sure local blocklists on your mail server are turned on to give your cybersecurity team a way to block spammers and phishers that specifically target your business, especially since spear-phishing is on the rise.
5. Enable Email Authentication security
Configure the following email authentication checks.
- SPF (Sender Policy Framework) is an email authentication standard (RFC7208) designed to prevent spoofed domain and IP address sources. When SPF is activated on your server, the sending server is validated as being allowed to send mail from the domain, before you accept a message.
Using SPF will allow you to reject spoofed messages to you, as well as from someone who might try to fake your users into believing it’s a message from your CEO. - DKIM (DomainKeys Identified Mail) is an email authentication standard (RFC5585) designed to reject messages that change in transit. The DKIM mechanism is based on a hash of the portions of the message designated by the sender.
When DKIM is activated on your server, the message content will be validated; it has not been tampered with in transit from the sender before the message is accepted.
DMARC (Domain-based Message Authentication Reporting & Conformance) is an email authentication standard (RFC7489) designed to provide the receiver with instructions on where and how to report failures of either SPF or DKIM so that senders can (a) know when either record fails and (b) take action against an unauthorized sender, thus improving brand protection and email delivery.
Many companies employ a DMARC reporting service to simplify TXT record maintenance and also to make sense of DMARC reporting.
The steps up until this point we’re all instructions on how to block spam before it enters the server. Now configure your content filters for your last layer of checks.
6. Include content filter
Now it’s time to set up your content filters.
Add an Open Source anti-spam filtering (e.g., rSpamD, SpamAssassin) layer. These are free, provide a platform to integrate content DNSBLs that help you block known spam domains and URLs, and, like the local blocklists, give your cybersecurity team a platform to add additional filtering.
- Blocklists, as mentioned previously, are efficient ways to make decisions quickly. In your content filter use the following lists to identify messages that belong in your users bulk folders.
- Search all headers and message bodies for domains associated with spamming and zero-day newly observed domains.
- Search message bodies for short URLs, online file storage URLs and cryptocurrency wallet addresses found in spam.
Add commercial anti-spam filtering, mainly if there is one designed specifically for your industry, especially if you are a Healthcare institution, Government agency, Energy company, Financial aor Retail Company.
Add open-source antivirus filtering to examine email attachments. (eg: ClamAV).
Add commercial anti-virus filtering vendors.
Add commercial anti-phishing filtering vendors. (e.g. Cyren, VadeSecure, others)
No one solution will catch everything
The 2019 Verizon report cited at the beginning of the article says that 90% of confirmed phishing email attacks took place in environments that used Secure Email Gateways (SEGs). Are you secure? How secure?
Being able to consistently detect and avoid phishing email attempts that land in your inbox is a critical component of security. Remember to employ both multiple technical and human layers of filtering to detect and make disposition decisions. Reject, drop or notify your cyber security team of email threats as early as possible in the receipt cycle. To do this, never accept too many connections at once, block the worst of the worst, authenticate the sender, and examine the content, doing each step well.
Ongoing, you need to have your cybersecurity team continually monitor your email since email is the primary attack vector for spam, phishing, and ransomware attacks.
Spam and phishing are social engineering attacks, so it is critical that you think of your employees as an integral part of your security. They are your last line of defense. Dropping your guard can lead to a successful attack causing your organization’s irreparable harm, leading you to go out of business. Let your cybersecurity team lead employee cybersecurity training, since enabling your human firewall is one of your best cybersecurity feedback loops for improvements.
Cybercriminals shapeshift, you need to be shapeshifting as well continually upping your game, in response. You always need to assume you are next. Don’t be reactive, be proactive and get your additional layer of defense for your mail server and customers with our suite of blocklists.