malicious email spam

I've recently enabled SPF/DKIM/DMARC for our email system.  My understanding is that this will help fight email spoofing?

But what about other malicious email events?  How do I thwart email virus and attacks coming from sites that are not spoofing?
Ted JamesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alfredo Luis Torres SerranoASP .Net DeveloperCommented:
- Educate your employees and conduct training sessions with mock phishing scenarios.
- Deploy a SPAM filter that detects viruses, blank senders, etc.
- Keep all systems current with the latest security patches and updates.
- Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
- Develop a security policy that includes but isn't limited to password expiration and complexity.
- Deploy a web filter to block malicious websites.
- Encrypt all sensitive company information.
- Convert HTML email into text only email messages or disable HTML email messages.
- Require encryption for employees that are telecommuting.
Dr. KlahnPrincipal Software EngineerCommented:
Use a firewall that can employ geoIP blocking.

If you do not do business outside your own country ... and assuming that it is the U.S., Great Britain, the EU or Canada ...  then block all incoming traffic from Africa, the Far East, South America, the Middle East and the ex-Soviet bloc countries.  This measure alone will cut problems by 80%.

Also block access from CIDR blocks associated with server farms such as 247 Hosting, OVH Hosting and the like.  This will cut a lot of domestic web site attacks and phishing attempts.  Partial example (couple hundred lines out of 3500 blocks) below.

#
# +-----------------------------------------------------+
# |                         5                           |
# +-----------------------------------------------------+
#

# ==== 5.1.64 - 5.1.95 -- Meerfarbig, DE
$iptloc -t filter -A $chname -s 5.1.64.0/19 -p tcp -j REJECT

# ==== 5.9 -- Hetzner hosting, DE
$iptloc -t filter -A $chname -s 5.9.0.0/16 -p tcp -j REJECT

# ==== 5.10.144 - 5.10.159 -- Vorboss cloud
$iptloc -t filter -A $chname -s 5.10.144.0/20 -p tcp -j REJECT

# ==== 5.35.240 - 5.35.255 -- HostEurope
$iptloc -t filter -A $chname -s 5.35.240.0/20 -p tcp -j REJECT

# ==== 5.39.0 - 5.39.127 -- OVH SAS hosting
$iptloc -t filter -A $chname -s 5.39.0.0/17 -p tcp -j REJECT

# ==== 5.39.208 - 5.39.223 -- Estonia / hosting
$iptloc -t filter -A $chname -s 5.39.208.0/20 -p tcp -j REJECT

# ==== 5.45.72 - 5.45.75 -- Serverius hosting
$iptloc -t filter -A $chname -s 5.45.72.0/22 -p tcp -j REJECT

# ==== 5.45.176 - 5.45.183 -- B&K hosting, DE
$iptloc -t filter -A $chname -s 5.45.176.0/21 -p tcp -j REJECT

# ==== 5.56.12 - 5.56.15 -- Nventa hosting, IT
$iptloc -t filter -A $chname -s 5.56.12.0/22 -p tcp -j REJECT

# ==== 5.56.60 - 5.56.63 -- Gigashosting (Spain)
# $iptloc -t filter -A $chname -s 5.56.56.0/21 -p tcp -j REJECT

# ==== 5.61.32 - 5.61.47 -- Leaseweb hosting
$iptloc -t filter -A $chname -s 5.61.32.0/20 -p tcp -j REJECT

# ==== 5.62.48 - 5.62.55 -- Avast / Privax
$iptloc -t filter -A $chname -s 5.62.48.0/21 -p tcp -j REJECT

# ==== 5.62.152 - 5.62.159 -- Hivelocity / Ogdennet hosting
$iptloc -t filter -A $chname -s 5.62.152.0/21 -p tcp -j REJECT

# ==== 5.63.144 - 5.63.151 -- Hosting Services Ltd
# $iptloc -t filter -A $chname -s 5.63.144.0/21 -p tcp -j REJECT

# ==== 5.79 -- Various EU hosting / Russian
# $iptloc -t filter -A $chname -s 5.79.0.0/16 -p tcp -j REJECT
# 5.79.64 - 5.79.127
$iptloc -t filter -A $chname -s 5.79.64.0/18 -p tcp -j REJECT

# ==== 5.88 - 5.89 -- Vodafone IT
$iptloc -t filter -A $chname -s 5.88.0.0/15 -p tcp -j REJECT

# ==== 5.101.96 - 5.101.103 -- DigitalOcean hosting
$iptloc -t filter -A $chname -s 5.101.96.0/21 -p tcp -j REJECT

# ==== 5.101.168 - 5.101.175 -- UK Dedicated Servers Ltd
$iptloc -t filter -A $chname -s 5.101.168.0/21 -p tcp -j REJECT

# ==== 5.102.168 - 5.102.175 -- Custodian hosting UK
$iptloc -t filter -A $chname -s 5.102.168.0/21 -p tcp -j REJECT

# ==== 5.102.184 - 5.102.191 -- Six Degrees hosting, UK
$iptloc -t filter -A $chname -s 5.102.184.0/21 -p tcp -j REJECT

# ==== 5.135 -- OVH hosting, BE
$iptloc -t filter -A $chname -s 5.135.0.0/16 -p tcp -j REJECT

# ==== 5.144.176 - 5.144.183 -- AHBR hosting, UK
$iptloc -t filter -A $chname -s 5.144.176.0/21 -p tcp -j REJECT

# ==== 5.148.160 - 5.148.191 -- Nine Internet hosting, CH
$iptloc -t filter -A $chname -s 5.148.160.0/19 -p tcp -j REJECT

# ==== 5.149.192 - 5.149.255 -- Poland / hosting
$iptloc -t filter -A $chname -s 5.149.192.0/18 -p tcp -j REJECT

# ==== 5.152.192 - 5.152.223 -- Redstation hosting UK
# $iptloc -t filter -A $chname -s 5.152.192.0/19 -p tcp -j REJECT

# ==== 5.153.224 - 5.153.255 -- Various EU hosting
# $iptloc -t filter -A $chname -s 5.153.224.0/19 -p tcp -j REJECT

# ==== 5.157.80 - 5.157.87 -- Firstfind hosting, NL
$iptloc -t filter -A $chname -s 5.157.80.0/21 -p tcp -j REJECT

# ==== 5.188.192 - 5.188.223 -- Russia
$iptloc -t filter -A $chname -s 5.188.192.0/19 -p tcp -j REJECT

# ==== 5.189.128 - 5.189.191 -- Contabo hosting
$iptloc -t filter -A $chname -s 5.189.128.0/18 -p tcp -j REJECT

# ==== 5.189.200 - 5.189.207 -- Suspicious hosting
$iptloc -t filter -A $chname -s 5.189.200.0/21 -p tcp -j REJECT

# ==== 5.196 -- OVH hosting
$iptloc -t filter -A $chname -s 5.196.0.0/16 -p tcp -j REJECT

# ==== 5.199.128 - 5.199.143 -- myLoc hosting
$iptloc -t filter -A $chname -s 5.199.128.0/20 -p tcp -j REJECT

# ==== 5.226.128 - 5.226.159 -- Various hosting
$iptloc -t filter -A $chname -s 5.226.128.0/19 -p tcp -j REJECT

# ==== 5.230.96 - 5.230.127 -- GhostNet, DE
$iptloc -t filter -A $chname -s 5.230.96.0/19 -p tcp -j REJECT

# ==== 5.249.128 - 5.249.159 -- Aruba Spaz hosting
$iptloc -t filter -A $chname -s 5.249.128.0/19 -p tcp -j REJECT

# ==== 5.254.64 - 5.254.127 -- Voxility, RO
$iptloc -t filter -A $chname -s 5.254.64.0/18 -p tcp -j REJECT

# ==== 5.255.192 - 5.255.255 -- Yandex, RU
$iptloc -t filter -A $chname -s 5.255.192.0/18 -p tcp -j REJECT

Open in new window

masnrockCommented:
Alfredo's answer pretty much answers your question.

You should also have a web proxy of some sort, along with some good endpoint protection. Remember that none of the mechanisms are perfect, plus tactics change all of the time.
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

Ted JamesAuthor Commented:
Can you give me commercially available examples (and perhaps your opinion about...) some of the systems mentioned here:  SPAM filter; web filter; web proxy; antivirus solution; endpoint protection?  (Realize some on this list is repetitive.)
masnrockCommented:
What mail system do you have? If 365, Exchange Online Protection is included (which I think isn't good) for spam filtering, but you can also enhance to Advanced Threat Protection.

SPAM filter: Cisco CES, Proofpoint
Web filter/proxy: Blue Coat, Cisco WSA, Untangle
Antivirus: ESET, Symantec, Trend Micro, McAfee
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
I started using an email filter appliance that used RBL (realtime black hole list) and it took care 99% of my spam.
Ted JamesAuthor Commented:
Masnrock, in answer to your question what kind of mail system...  It is email provided by my cloud provider.  They are hosting the email server.   We access through webmail.  For me personally I have Outlook on my desktop so I can implement it and access the mail that way.  Others either just use web access or may similarly use Outlook is they have.  So the cloud provider hosts the server, and my group owns the domain.  Does that answer your question?  And does that affect your answer?

Brian B, who is responsible for building the blacklist, my email server provider or the domain owner?
Who makes that email filter appliance you are talking about?
masnrockCommented:
Ted, I was using it as a way to see whether you were using O365. However, both spam solutions I have mentioned are cloud offerings.

A lot of solutions use various lists from various sources with reputation information, etc to determine what should get blocked out. But let's be honest, no product is perfect.
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Thanks for adding those details. So basically you are at the mercy of your provider for some services. They most likely already use a spam filter and possibly a blackhole list, although they probably can't be as aggressive because their customer receive email from everywhere. I would also hope they are already blocking spoofing. Perhaps talk to them about what service they provide. For bigger services like GMAIL or Microsoft, you'll probably have to look the information up online.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ted JamesAuthor Commented:
Thank you all.  It was very helpful.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.