The Cheap Way to Keep Spoofed Email Out of Your Inbox
Email spoofing is on the rise. Country IP Blocks estimates that spoofing may account for more than 80% of all spam and malicious email traffic. Email spoofing is defined as the forgery of an email header so that the message has the appearance of originating from a source other than the actual source.
While any spoofed email is a problem, the problem becomes magnified when the spoofed email appears to come from an expected source. For example, company EXAMPLE has 100 employees and each employee has an EXAMPLE email account. If the company is using a program like SpamAssassin or other similar anti-spam software, they probably use a blacklist and whitelist to aid the spam filters. Company EXAMPLE may use a wildcard to blacklist *@EXAMPLE.com and then whitelist their legitimate email accounts, such as john_doe@EXAMPLE.com. The spam filters will give special consideration to email accounts appearing on the whitelist. Here is where a major problem may begin.
Spammers and cyber-criminal gangs understand the free ride made available by the EXAMPLE.com email accounts appearing on the company whitelist. If the spammer can spoof one of these addresses there is a higher likelihood of the email making it through the spam filter and into an employee?s mailbox. From there it may be a direct download into an email client like Outlook. This technique may result in thousands of spoofed emails breaching your perimeter on a daily basis.
When not using expensive security certificates to prevent spoofing, you can still eliminate spoofing of known email addresses, such as those on a company whitelist, with a highly effective, yet relatively simple filtering technique.
For this illustration we will assume you are using a modern version of Microsoft Outlook as your email client, though the filtering will work with most other email clients. The first thing you need to do is add a validation code to the email signatures of all employees. For this illustration we will use Message ID: yUHux7StepR5yeWRugEb3. The second step is to develop a list of emails you want to filter for spoofing. We will call this our Distribution List. This list can be imported into Outlook or inserted directly into your new rule.
The logic for your filtering ruleset is simple: Apply this rule after the message arrives from Distribution List, permanently delete it (or move it to a specific folder), except if the body contains Message ID: yUHux7StepR5yeWRugEb3, stop processing more rule.
Open Outlook and select Tools, Rules and Alerts and New Rule. Depending on your version of Outlook you will select either Start from Blank Rule or Check Messages when they arrive. The first condition we want to check is from people or distribution list.
After checking ?from people or distribution list,? add the email accounts you want to protect from spoofing. In this example we will add email@example.com.
Click Next and select the action you want to take. In our example we will permanently delete email that appears to be spoofed. This will also put a check in the stop processing more rules box.
Click next and choose an exception. In our case we are going to have every employee include a validation code in their email signature. Select except if the body contains specific words. For this example we will add a random code to be searched: Message ID: yUHux7StepR5yeWRugEb3.
Click Next, add a name for the rule, turn it on and click finish.
Your filter is now in place and ready to be tested. When the above steps are properly performed this procedure will effectively eliminate 100% of the spam coming from spoofed addresses in your Distribution List.