Email is unwaveringly consistent in upholding the theory of equal opposites. On one hand, it has enabled businesses to flourish in the electronic age with cheap and easy communication thus making it the default method of message exchange, however on the other, that direct-to-user route has meant that it remains the number one infection vector of choice for malware and phishing attacks since the 90's.
There are very few organisations (hopefully none) who don't use some form of email filtering solution to remove potential threats. There are countless offerings; some free and others with price tags reflective of the updates and additional services they can provide. In all cases, the industry has had much practice over the years in combatting these threats.
Yet still, email remains the choice of infection for most cybercriminals. One contributing factor could be that there remains an air of mystery around malicious email detection techniques, resulting in some email filtering solutions being poorly configured or possibly never updated.
Anti Spam & Filtering Checklist: Must-Have Detection Techniques
Below is a list of the must-have methods used to detect malicious emails. Ideally, your email filtering solution should employ all these techniques to keep detection rates at their highest possible levels.
- Blacklists - Nice and easy, blacklists are a list of IP addresses and domains which are known to send malicious emails. To keep these lists up to date, there is normally some form of subscription to keep the feed open. However, there are some free alternatives, for example SpamHaus Zen who only require a fee if a large number of queries are performed per day.
- Reverse DNS Lookups - When an email server is being asked to receive an email, it looks up the DNS MX record of the sending server which contains the sending email server's host address. Performing a reverse lookup on the IP address of the sending email server should reveal the same host address; if not, this could be an indicator of an email server being used for malicious purposes.
- SMTP Banner Verification - When two SMTP (Simple Mail Transport Protocol) email servers connect, they identify themselves to each other using their configured hostnames in their respective SMTP banners. If they do not match their corresponding DNS MX records, it can be assumed that the sending server is unaware of it being used to send spam from that domain. This could just be poor configuration; however, it could also indicate a hijacked email server.
- Anti-Virus and Sandboxing - It is very unusual today to attach malware directly to an email. Despite this, it's cheap and cost effective to ensure all emails are scanned for known signatures and in cases where there is no positive reaction, then files should be detonated in a sandboxing environment. More common today is to entice users to click on URL hyperlinks in the email body. This can get around email scanning, as the malicious code is not present in the email itself. Good email filters will include a URL following technique which can also scan the destination of any hyperlinks in the email.
- SPF (Sender Policy Framework) Records - SPF is a DNS record in the sending host domain which lists all email servers which can send emails from its domain. Recipient servers can query this list and compare it to the sending email server address to ensure it is permitted. Those that aren't could be malicious and should be dropped. SPF is a simple technique to prevent domain spoofing but is surprisingly uncommon.
It's not all Black and White with Email Security
In the real world, even legitimate email servers lack some of the records and validation steps mentioned. It would be foolish to block anything that fails just one of these techniques and instead would be better if used in combination. Most good mail filters will provide a quarantine function allowing your users to access those emails which fall between black and white, albeit in a controlled environment.
All the techniques listed above can be used to weed out potential malicious email servers connecting and sending emails to your users, but they can also be used in reverse to decrease spam profilers detecting your email as spam.
If you have had issues with your partners, customers and contacts finding your emails in the spam folders, you should also look at some of the above techniques and consider how they can be used to not just prevent, but also validate your online email identity. After all, email is not just an attack vector, it's also how you distribute your marketing messaging, quotes and purchase orders. Balancing security and operations is the challenge which can be answered using the same means.