The Ins and Outs of Email Spamming, Phishing, and Security Threats
March 07, 2019
By James Fodor, Service Desk Manager, Access One
Let’s talk about email, spam, and the United States Postal Service.
Email has become a critical portion of our everyday business practices. Email is so vital that most businesses consider it an emergency if their email is down for any period of time. We depend on email more than ever before, and it has become an integral part of our business communication.
And boy, do the spammers, scammers, phishers, spoofers, and other various nefarious people know this! They know how to prey on our use of email and often understand our habits better than we understand them ourselves. Long gone are the days of Nigerian princes. Today’s schemes are clever and are made to deceive even the most technologically adept of us out there.
The obvious questions that follow are:
- How does email work?
- How do we stop these guys?
Let’s start with a quick overview of how email works.
Your email address is very much like your home address for the good ol' USPS. It lets the outside world know how to reach you. With your physical address, your city and state get your mail to your local post office. Much the same with email, your domain name gets your email to your local email server. As your house and street number get your physical mail to you, the name portion of your email address tells your server to deliver email to your inbox.
This is when the spammers descend and start sending you all kinds of junk mail. Once you sign up for a mailing list or submit your address to Publisher’s Clearing House, your address starts getting sold. Soon enough your mailbox is filled with junk mail and spam. But there is great news! We have a way to combat this: spam filters.
A spam filter works by keeping track of any email address that you correspond with. If you send an email out to someone, it assumes you want to get an email back, and it creates a whitelist entry. Great! You can also mark any email you receive as spam, and the spam filter will keep track of those emails in the blacklist entry. No email allowed from those email addresses any longer. Great again!
The big problem with this method is that there is a whole category of email in the middle. An email looks like it should be good, but it’s not part of the whitelist or the blacklist. The spam filters don’t know what to do with these emails, so they send a list through to the end user asking for guidance in the form of a hold list. You pick what to do with each email, and the spam service can better perform for you in the future. Fantastic!
But here come the scammers, phishers, spoofers and other security threats. A spam service isn’t good enough any longer – we are now being deluged with threats to our personal information and livelihood.
These include emails from the CEO asking you to wire money, emails from Microsoft telling you that your account has expired, or the new favorite that says your account has been hacked because you visited an x-rated site, and they are blackmailing you.
We can block an email address of any of these threats, and we no longer have to worry about threats from that specific email. Good! The scammers, however, will just get a new email address and try again. Think of it as moving from one apartment to another in the same building. Different address, same person. So let’s block anything from the whole apartment building or domain. This works sometimes, but what if you are getting attacked from gmail.com and a large portion of your business is from that domain? You’ve just cut them all off as well.
Luckily, we have some great security services within email that allow us to help verify that email is coming from who we think it should be from. In other words, we can verify that email from Microsoft is REALLY Microsoft, and not some Nigerian prince’s nephew.
The Right Tools
The first tool we use is called a Reverse DNS (Domain Name System) entry. Every server on the Internet, including our email server, has a DNS entry that lets everything else route traffic properly. This is how email flows and gets to the right spot. That DNS entry often looks like mail.domain.com. When we send an email out, we are telling the world it is coming from mail.domain.com. That name translates into a specific IP address, like 220.127.116.11. The Reverse DNS entry matches the two up, and if an email goes out from mail.domain.com but comes from IP 18.104.22.168, that’s not good. Simple, but easily worked around for the scammers. It also creates problems for very large companies who may send email from many locations or anyone who uses a mass mailing service.
We’ve added onto this with an SPF record. This is an entry into our public DNS records that creates a list of IP addresses that are allowed to send emails on our behalf. So now we can let everyone know that email newsletter we send out from Constant Contact’s mail servers with our email address on it is legit, and we did it on purpose.
Identification of proper servers carries on even further with DMARC and DKIM records, which are more advanced and precise ways of identifying that an email is coming and going to the right places.
Scammers know tons of ways to get around these protections and trick us, and they are getting more and more creative. But one of the most important things to remember is that we can control emails we send out, and we receive. We have ZERO control over emails that are sent out by a third party. Here’s how this little scenario works:
Company A does business with Company B and frequently sends email communication back and forth. They trust each other, and business is good! Scammer C learns about this relationship and sends an email to Company B claiming to be Company A. Company B doesn’t have any spam or security services, and therefore thinks the email is legit. They respond and send the scammer money. Now they are mad at Company A!
Unfortunately, there is NOTHING to prevent someone from building a mail server and claiming to be any other mail server in the world. Just like when sending a piece of mail through the post office, you can put ANY return address on it. We’ve built all of these protection services, but if they aren’t used, that email looks like it came from your friend at Company A. That email never touched Company A’s servers, and despite Company A having SPF, DKIM, and DMARC records to identify where their email comes from, Company B let it in anyway. Company A has done all they can to prevent this and cannot do anything to stop this kind of email.
Where does this leave us?
Spammers, scammers, phishers, spoofers…they all suck. They cost us literally billions of dollars as a society, and the wasted time can never be recovered. They are always slightly ahead of us, creating new and impressive ways to trick, deceive and dupe us. We wire the CEO money because he’s the CEO and can fire us. We give Microsoft our login credentials because we don’t want our precious email to stop working. And we submit to the x-rate blackmail because enough of us have done it.
Call the CEO directly, he’s probably got plenty of ways to get money without you wiring it to him. Contact your IT department, they can reset your credentials with Microsoft and don’t need to send out an email to do it. And you probably didn’t visit some website to be blackmailed, but if you do, always practice safe browsing and make sure you’ve got protection!
Contact Access One today with any questions about email security. We'd be happy to help.