Page 22 - Cyber Defense eMagazine - October 2017
P. 22
What You Need To Know About Anti-Phishing Standards – Part 1
by Marc Laliberte, Information Security Threat Analyst, WatchGuard Technologies
Phishing emails are a popular malware delivery vehicle for attackers. In fact, according to
Verizon’s 2017 Data Breach Investigations Report, two-thirds of all malware in 2016 was
installed via email attachments. Often the most difficult part in crafting a phishing email is
designing it in such a way that the victim will believe it and follow the instructions.
While there are many ways for an attacker to increase the chances of success for their phishing
emails, one of the most effective methods involves spoofing the message to appear to come
from a trusted source. Before we can dive in to how the attackers spoof the sender and how to
protect against it, we first need to go over some email message basics.
The Basics
The format and process for most email messages is actually very similar to a traditional snail
mail message. An email message includes an envelope with routing address information, and a
message letter that sits inside the envelope. The envelope address headers are just like what
you would expect to see in a traditional mail envelope. There is a header for the sender, called
MAIL FROM, and a header for the recipient, called RCPT TO. In the case of a CC or BCC
recipient, the sending mail server simply adds more RCPT TO headers to send digital copies of
the message to the other recipients. Email servers use these envelope headers when deciding
where to route a message and where to send delivery failure messages if any issues are
encountered along the way.
Inside the message envelope sits the email message itself. The message also uses several
headers, including separate headers for the sender (FROM header), recipient (TO header), a
header for the message subject (Subject header), and a timestamp for the message (Date
header), among others. Your email client uses these message headers, not the envelope
headers, when displaying details like the sender, recipients, and subject of a message.
Most email clients trust these message headers as-is. This means an attacker can spoof a
message’s FROM header to be any address they want, whether it be your company’s CEO,
your best friend, or your bank. By spoofing the sender address in their phishing emails,
attackers make the context of their message more convincing, increasing the chances that the
victim will fall for it. In fact, nearly all malicious e-mail messages use a spoofed sender address.
Luckily, there are technologies and standards available to protect yourself and your users from
sender address forgery.
SPF
Sender Policy Framework (SPF) is an open standard developed by the Internet Engineering
Task Force (IETF), designed to combat sender address forgery in envelope MAIL FROM
headers. SPF enables organizations to specify what servers are allowed to send emails with an
envelope MAIL FROM address in their domain by using DNS records. Recipient mail servers
can then use these special DNS records to confirm that a message from any given domain truly
came from that domain.
22 Cyber Defense eMagazine – October 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
