Email is the world’s worst nightmare and everyone knows it. I’m sure there are some biased sources out there that will tell you it’s the primary vector for malware infections and fraud and they’ll try to give you some suspicious percentage to quantify their shady findings, increase FUD, and drive revenue.
I’m here to tell you two things; 1) to hell with those charlatan snake oil salesmen and 2) they’re probably pretty close to correct.
A Brief Overview of Email
Email is used to deliver spam and malware and sometimes people use it for legitimate communication. There is nearly no way to programatically differentiate well crafted spam or even most marketing emails from legit communications. Okay, there are probably some ways which I’ll write about at some point (citation needed) like keeping some dynamic database of known good senders and terminating (okay, quarantining temporarily so that’s another web gui you have to build) with extreme prejudice any email that comes in that’s not on that list but if you get a lot of email you’ll need some seriously well tuned code and some monster hardware to run those checks - and even then you’ll still be the guy or gal on the hook at 3am when email goes down and your office in Western Europe is just opened for the day and no one can get work done. Sounds like a fun night!
How We Try To Keep Email ‘Safe’ Today
Here’s a short list of things we do as mail server admins to try to keep email safe and friendly.
- SPF Records
- DKIM Records
- DMARC Records
Here’s a list of things that take 30 seconds to set up and bad guys configure within moments of creating a really freaking good malware or phishing domain to fully pwn your teammates, employees, or users.
- SPF Records
- DKIM Records
- DMARC Records
Yep. If you own websterbrewing.com and you have a successful brewing business with about 100 employees and some goober registers websterbrewlng.com with their own legitimate SPF, DKIM, and DMARC records, and then spends 20 minutes cloning your webmail.websterbrewing.com page, putting together a list of targets from LinkedIn, and sending an email from [email protected] I guarantee one of the targeted employees will put in their creds and even download something on the other end of that link.
Aaannndd you’re done. RAT, reverse shell, dump lsass, someone with admin creds will have logged into that box, pivot using a sneaky netstat -an or -lanp if you want to be really fancy using those admin creds mentioned above, and now you’re fighting fires if you’re lucky enough to pick up on degenerate activity on your network. Good night.
Nothing in your crappy-email-detection stack would have a chance on catching this.
Okay - Maybe you filter by newly registered domains
This is an awesome idea and you can definitely cut back on the garbage you receive if you can do this. But WHOIS queries not only suck (they’re often incomplete or incorrect) but they take a while. We’re getting back to that smooth-code-and-lots-of-horsepower thing again.
I’ve been trashing on email but I want to take a second to be clear; there is an absolute deluge of garbage that comes in via email all over the world. Statista, who sounds legitimate but who knows anymore, has data showing that 61%+ of global email traffic is spam. Real numbers are probably a lot more than that but that’s still a ton of email and for the most part spammers and scammers are really dumb and use the same old tricks. So we have email appliances that filter out a lot of spam and they do a pretty good job.
But when, as a company, you block 95% of the spam coming in, and you still get many thousands of spam or marketing messages.. you become a little bit disenfranchised
READY? TIME IN
Last few points; email is really, really tough to filter on bad v. good, but there are some steps you can take to maintain some safety. I’ve taken the time to list these below in order of incrementing insanity.
|Task/Action||Level of Insanity|
|Disable Document Preview||The Board will probably approve|
|Quarantining email with attachments that aren’t text or images||The Board doesn’t have to know|
|Defang inbound links from external senders||Hold my beer while I ride this sheep|
|Email in plaintext only, no HTML||Tom Cruise in Tropic Thunder|
|Whitelist only policy for inbound email||Vermin Supreme|
|Force everyone to use Mutt||James Brown on PCP interviewing for CNN|
|Disable email completely and only use encrypted messaging with symmetric keys delivered in person||Tossing cans of spray paint into a lawnmower over a bonfire|