Just wanted a little advice regarding some spam emails we've been receiving, I receive odd emails addressed to me labelled as from another member of staff (it shows their full name, though not their actual email address, a random one) and I'm unsure how they manage to get hold of information to be able to do this. Our system is generally very secure, hows it possible to retrieve this info?
Spam emails spoofed from other staff members
- Thread starter theboyrob
- Start date
There's very little you can do about someone pretending to be your CEO Bob Smith and emailing from [email protected], asking for payment to be sent to a particular address. Mimecast have a feature where you can feed it your user directory and it attempts to pick up these 'whaling' attacks, and DLP policies can be used to reject mail with bank account numbers, payment card details etc in them. You could probably also set rules to highlight messages that originated outside the company.
Ultimately, if somebody phoned your finance department and pretended to be the boss and needed money wiring to an account, and they did it without asking further questions, people wouldn't be running around pointing fingers at the phone company and trying to get a fix implemented at that level. Staff need to be just as suspicious with email, especially as for some insane reason a lot of mail clients default to not showing the senders address, preferring to just put a name there.
Ultimately, if somebody phoned your finance department and pretended to be the boss and needed money wiring to an account, and they did it without asking further questions, people wouldn't be running around pointing fingers at the phone company and trying to get a fix implemented at that level. Staff need to be just as suspicious with email, especially as for some insane reason a lot of mail clients default to not showing the senders address, preferring to just put a name there.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 4,056
Yep, you can. We have a policy that puts some text into the subject on all emails that were received from the outside world and another that strips that piece of text out when emails are replied to or forwarded externally.
Last edited:
It boggles my mind why filtering these things is such a big mystery - 99% of the time with these spam mails the received chain very obviously doesn't match any legit domains of the supposed sender - why is there such a resistance to using the full header information properly in the workplace to flag emails additional to spam filters?
Frankly with the ability Microsoft have to update Office 365 and Outlook clients, they should be applying a piece of metadata to each external message and highlighting it differently in their mail clients, it would be quite trivial to implement and go a long way to assisting with this issue.
Everybody managing an email domain should be publishing DMARC policies as well to protect their own reputation. Unfortunately with the ease at which people can have email on their own domain, they often consider the task to be completed as soon as messages are flowing.
Everybody managing an email domain should be publishing DMARC policies as well to protect their own reputation. Unfortunately with the ease at which people can have email on their own domain, they often consider the task to be completed as soon as messages are flowing.
Soldato
- Joined
- 29 Jul 2013
- Posts
- 8,617
We've had them with our own domain on before.
If our usual address is say "[email protected]" then they had "[email protected]". The email would be asking for money to be urgently sent over due to an emergency. It's very obvious but I could imagine someone being fooled every now and then.
If our usual address is say "[email protected]" then they had "[email protected]". The email would be asking for money to be urgently sent over due to an emergency. It's very obvious but I could imagine someone being fooled every now and then.
Spoofing the from details is trivial the receive chain not so trivial - though there can be times when that fails it is usually atleast possible to identify its possibly suspicious additional to any spam filtering. I dunno why that data isn't represented in a more user friendly way in most clients as most people can atleast do simple common sense comparisons. Instead there seems to be this whole thing about hiding that data away as much as possible
Yet nearly every company big or small I've worked for, done support for or had anything else to do with have plenty that somehow get through their spam filters or whatever where even a cursory glance at the received chain in the full headers versus the from field shows discrepancies.
Occasionally you get an inserted banner, depending on server/filters, etc. warning you that this email might be suspicious that couldn't be identified for certain as spam but its more the exception than rule.
*bangs head on wall*
It's not surprising though, I receive emails from some massive companies that haven't yet ventured as far as an SPF record.
These are probably the places with change control processes that take six years to complete, so will be signing messages sometime after 2020.
These are probably the places with change control processes that take six years to complete, so will be signing messages sometime after 2020.
Soldato
- Joined
- 18 Oct 2002
- Posts
- 8,302
- Location
- The Land of Roundabouts
I started logging dkim/spf failures with the idea of bolstering our spam filtering but the amount of big names that fail these checks is phenomenal and simple render these solutions pointless. There are so many badly configured mail servers out there that its no surprise spam is so prevalent.
It does make me laugh, my sister works for a reasonably large consulting firm (not one of the big four) and everytime she emails my Gmail account it throws up a huge "this message might not be who it says it's from" warning (no SPF in place, messages aren't signed). The official response from their IT is that they wouldn't be emailing Gmail users as they are professionals, so there's nothing to fix. I guess as long as they never email anybody with decent messaging admins then they're sorted, and when their messages get rejected it results in a VP storming into the IT team of the receiving end and demanding an explanation, so the domain gets whitelisted.
Soldato
- Joined
- 18 Oct 2002
- Posts
- 8,302
- Location
- The Land of Roundabouts
There really is no excuse in this day and age, when the likes of MS have pretty much automated the whole process of setting spf/dkim. You have to wonder what some admins are smoking when they refuse to get there own house in order.
I'm not usually a fan of big corp likes Google/MS taking ownership of such issues but i think its going to take an automated process from the likes of them emailing domain admins on every failure before we see any real change.
I'm not usually a fan of big corp likes Google/MS taking ownership of such issues but i think its going to take an automated process from the likes of them emailing domain admins on every failure before we see any real change.
It drives me nuts, my current company gets a lot of these spoofed e-mails from the CEO etc.. I believe Linkedin to be the "data source"
On my personal domain, I've got all SPF, DKIM added & use digitally signed mail (£30 for a certificate) & will be implementing a similar setup and my current company
In the interim I've got Exclaimer adding a header ("This e-mail has been sent from outside xxxxxx Check that it is genuine") to each e-mail that comes from external source
I used to work for a fairly large company, one day the performance of our exchange server tanked, upon investigating it turned out that our product development team was throwing 500k customer transactional e-mails at it. We soon ended up on a few mail blacklists.. It took me best part of two solid days building a dedicated mass e-mail platform & getting the SPF, DKIM records in place & liasing with various different mail providers get our servers whitelisted
On my personal domain, I've got all SPF, DKIM added & use digitally signed mail (£30 for a certificate) & will be implementing a similar setup and my current company
In the interim I've got Exclaimer adding a header ("This e-mail has been sent from outside xxxxxx Check that it is genuine") to each e-mail that comes from external source
I used to work for a fairly large company, one day the performance of our exchange server tanked, upon investigating it turned out that our product development team was throwing 500k customer transactional e-mails at it. We soon ended up on a few mail blacklists.. It took me best part of two solid days building a dedicated mass e-mail platform & getting the SPF, DKIM records in place & liasing with various different mail providers get our servers whitelisted