By Chandresh Dedhia, Head-IT, Fermenta Biotech
You all would have read the news about the Flipkart CEO’s email being spoofed and an email requesting to transfer $80,000 sent to Flipkart CFO. This attempt didn’t succeed as the CFO did a call back to the CEO to check the reason and then the case came to light and a major scam was avoided.
This isn’t something new and has been very prevalent since the last few years. The only thing I can say is that the attempts are more common now and gaining some front page news. Also our inherent email technology has failed to safeguard the consumers against such attacks. Email servers today support such technology to avoid Email Spoofing, Phishing and SPAM, but the default configurations are set to “Disable”. Email systems being a foundation to any enterprise, small, medium or big, strong security process needs to be in place to secure the email infrastructure.
I came across many instances where the IT team is unaware of the simple configuration that is required to increase your defensive capabilities against such attacks and that too without any investment using the existing technologies available.
I would like to share the process to ensure you make your email infrastructure secure against such email spoofing and increase defensive mechanism against Phishing and SPAM, below are the technical steps that you could share with your IT team for implementation.
Three Simple steps to Nirvana:
#1 Enable SPF : Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check if incoming mail from a domain comes from a host authorized by that domain’s administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) record for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged “from” addresses, so publishing and checking SPF records can be considered anti-spam techniques. SPF has to be configured through Domain/DNS control Panel.
#2 DKIM: DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrators. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain which is done using cryptographic authentication. DKIM has to be configured on the Email Server and Domain/DNS Control Panel.
#3 DMARC : Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain’s administrators and that the email (including attachments) has not been modified during transport. It is thus intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. DMARC is specified in RFC 7489.
DMARC is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the sender of an email to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email and how the receiver should deal with failures. Additionally, it provides a reporting mechanism of actions performed under those policies. It thus coordinates the results of DKIM and SPF and specifies under which circumstances the From: header field, which is often visible to end users, should be considered legitimate. DMARC settings give you option to Monitor, Quarantine and Reject the emails that are detected as Spoofed or SPAM.
One must follow the below method to rule out any false positives. A conservative deployment cycle would resemble:
a. Monitor all.
b. Quarantine 1%.
c. Quarantine 5%.
d. Quarantine 10%.
e. Quarantine 25%.
f. Quarantine 50%.
g. Quarantine all.
h. Reject 1%.
i. Reject 5%.
j. Reject 10%.
k. Reject 25%.
l. Reject 50%.
m. Reject all.
Attempt to remove the percentages as quickly as possible to complete the deployment. DMARC has to be configured through Domain/DNS Control Panel. Once all the three step configurations are completed, log on to www.dmarcian.com and create a free account and follow the configuration instructions.
In the dashboard, it will show you the status of the SPF, DKIM and DMARC. Any anomalies will be highlighted and a suggestion to reconfigure will be given. You could choose the buy the paid subscription which gives you in depth analytics and other features.
It would be a huge support if you can like or share this article with your friends and colleagues to improve their defense mechanism and improve their email security infrastructure.
– The author, Chandresh Dedhia, is Head-IT, Fermenta Biotech
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]