There are many types of spam. Some are relatively harmless and are simply intended to make people buy a product that a spammer is selling. However, some spam is much more insidious. Phishing emails trick your users into disclosing confidential information about your company, such as passwords. This method of network attack has become so prevalent that it creates a strong need for any organization to have effective anti-spam capabilities to protect its email server. While phishing attacks vary in their severity and effectiveness, some can be truly disastrous for an organization. Therefore, good anti-spam protection should be a priority in your company’s security procedures.
Let’s illustrate the importance of this with an example. Let’s say your financial officer received a phishing email that informed him that there was possible fraudulent activity on your company’s bank account. The email asks him to login to the company’s online account to verify that no fraudulent transactions have occurred. If he uses the link in that email he will be presented with a fake login page that perfectly mimics your bank’s page. After one failed login attempt, the financial officer is redirected to the real bank page, so he can login without suspecting anything amiss. However, the sender of that phishing email now has direct access to your bank account.
So how do we protect against email spear phishing attacks?
A robust server-based anti-spam solution will provide you with an effective first line of defence. Many of the characteristics of spam emails are also found in phishing emails and thus they can be filtered out. A particular form of phishing, known as spear phishing, may be effectively blocked by anti-spam filters, while others will be ineffective. Why?
Spear phishing refers to phishing emails that specifically target your organization. This can result in your organization receiving email from a clean source that is not listed in any spam databases. As a result, techniques such as DNSBL and anti-spam databases may fail to detect this attack. The particular IP address that sends the email would never have been used for the bulk mailing of spam and thus would have avoided detection by any DNSBL tests or honey pots. Also, spear phishing attacks are tailored to your organization in a way that existing spam databases would not yet have information on it, and thus be unable to block it.
Techniques like greylisting will likely work, but spear phishing attackers often monitor the situation and will resend any mail failures to specifically break through greylisting protections. There is also a chance that the attacker might be using a real mail server, in which case the retry will happen automatically.
On the other hand techniques like Bayesian analysis have a good chance to detect these types of phishing emails, as they often have language that is detected as spam. Phishing emails normally attempt to encourage victims into visiting malicious websites, and thus are inevitably going to share language to a degree.
Sender Policy Framework (SPF) should also be very effective here. SPF works by comparing the servers that are authorized to send emails for this domain against the actual server used to send the mail. The list of authorized mail servers is provided by the email’s origin domain and, since phishing emails have no choice but to pretend the email is coming from a particular site, SPF should be effective in catching such attacks.
For regular phishing emails these issues should not exist. Some good anti-spam solutions possess specialized databases that contain specific data on phishing emails. This information can range from URLs generally used by phishing emails, to the typical text contained in them.
In conclusion, having a properly configured server anti-spam solution can go a long way towards mitigating such risks, especially spear phishing attacks. The more filtering layers an email has to pass through, the less likely it is to find its way in your users’ mailboxes, and the less likely you are to suffer damage as a result.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about what the right server anti-spam solution for your company should include.
All product and company names herein may be trademarks of their respective owners.