Some of you might know that emails by design have two types of sending and receiving addresses. Yes, you read that right – it’s not just the one you see on your email.
The first type of sending address is the envelope sender which is not visible to the user on their mail client or even in the headers. You can co-relate this with a physical letter, which after being put in an envelope has the address on the outside which is used by the courier to deliver the envelope to the intended destination. Similarly, the envelope sender is used for routing purposes on the Internet.
The second type of sending address is the header From address. This is the one you see displayed on your email or in the headers as From: address. In our metaphor, this would be the address you write on the letter itself. In real life, the envelope can be addressed to A and the letter can be addressed to B. Similarly, email does not require the envelope sender to match the header From address.
So the email that you see coming in from firstname.lastname@example.org could easily be from email@example.com .
This is one of the ways the bad guys send out CEO Fraud emails or as termed by the FBI, ‘Business E-Mail Compromise’. The emails almost always originate from an external source. This means that the envelope sender is from an external domain but the header From address is spoofed to look like it is coming from your domain. There are very simple steps you can follow when using our email filtering to prevent these type of emails from being delivered to your users.
Implement an SPF record
The envelope sender is dealt with by implementing an SPF record for your domain. Look up www.openspf.org
for instructions on how to apply this. We will stop any emails arriving that don’t comply with your SPF record. However that still leaves the “Header” from email address. This is the one users see in Outlook if they use it as an email client. This is where the danger lies.
Implement a blacklist for your own domain
If you do not have emails coming in from any external sources that legitimately spoof your domain, such as emails from a website or newsletters that spoof your domain, you can put in a blacklist rule from @yourdomain.tld to @yourdomain.tld. This works efficiently because all your internal emails are handled by your mail servers. So there should not be any emails that would come through our filters that would have @yourdomain.tld in either of the sending address.
How to blacklist your own domain
You can put in this rule by doing the following:
- Login to manage.securesuite.io as an administrator
- Go to the Rules tab
- Click on the Add rule button
- Enter ‘@yourdomain.tld’ for the Sender field without the quotes.
- Leave the Recipient field empty. (This applies the rule to your entire domain)
- You should select ‘Apply to all recipient domains’ if you have multiple domains under your account
- Select the Action to be “Blacklist” from the drop down list.
- Click on the Save button
- Repeat the above steps until you have entered all your domains in step 4. That is each of your domains should have it’s own Blacklist rule applied.
Now, if you have external sources that spoof your domain(s)(legitimately, for example your email newsletters) and are sending to your users, you need to compile a list of all the IPs the emails originate from, the sending addresses in case it comes from a fixed address or a combination of the two and send it to firstname.lastname@example.org or give us a call and we will implement a rule for you that will allow the sources you mentioned while blocking all emails that spoof your domain, within a matter of few minutes.
Our new CEO Fraud algorithm will prevent these types of spoofed mails and other variants on the theme without these settings.
That’s all it takes to stop someone from sending your users an email that looks like it was sent from within your organization. Don’t put your users at an unnecessary risk – contact The Email Laundry today.
Author: Ken Bagnall