malicious email spam

Ted James
Ted James used Ask the Experts™
on
I've recently enabled SPF/DKIM/DMARC for our email system.  My understanding is that this will help fight email spoofing?

But what about other malicious email events?  How do I thwart email virus and attacks coming from sites that are not spoofing?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
- Educate your employees and conduct training sessions with mock phishing scenarios.
- Deploy a SPAM filter that detects viruses, blank senders, etc.
- Keep all systems current with the latest security patches and updates.
- Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
- Develop a security policy that includes but isn't limited to password expiration and complexity.
- Deploy a web filter to block malicious websites.
- Encrypt all sensitive company information.
- Convert HTML email into text only email messages or disable HTML email messages.
- Require encryption for employees that are telecommuting.
Dr. KlahnPrincipal Software Engineer
Commented:
Use a firewall that can employ geoIP blocking.

If you do not do business outside your own country ... and assuming that it is the U.S., Great Britain, the EU or Canada ...  then block all incoming traffic from Africa, the Far East, South America, the Middle East and the ex-Soviet bloc countries.  This measure alone will cut problems by 80%.

Also block access from CIDR blocks associated with server farms such as 247 Hosting, OVH Hosting and the like.  This will cut a lot of domestic web site attacks and phishing attempts.  Partial example (couple hundred lines out of 3500 blocks) below.

#
# +-----------------------------------------------------+
# |                         5                           |
# +-----------------------------------------------------+
#

# ==== 5.1.64 - 5.1.95 -- Meerfarbig, DE
$iptloc -t filter -A $chname -s 5.1.64.0/19 -p tcp -j REJECT

# ==== 5.9 -- Hetzner hosting, DE
$iptloc -t filter -A $chname -s 5.9.0.0/16 -p tcp -j REJECT

# ==== 5.10.144 - 5.10.159 -- Vorboss cloud
$iptloc -t filter -A $chname -s 5.10.144.0/20 -p tcp -j REJECT

# ==== 5.35.240 - 5.35.255 -- HostEurope
$iptloc -t filter -A $chname -s 5.35.240.0/20 -p tcp -j REJECT

# ==== 5.39.0 - 5.39.127 -- OVH SAS hosting
$iptloc -t filter -A $chname -s 5.39.0.0/17 -p tcp -j REJECT

# ==== 5.39.208 - 5.39.223 -- Estonia / hosting
$iptloc -t filter -A $chname -s 5.39.208.0/20 -p tcp -j REJECT

# ==== 5.45.72 - 5.45.75 -- Serverius hosting
$iptloc -t filter -A $chname -s 5.45.72.0/22 -p tcp -j REJECT

# ==== 5.45.176 - 5.45.183 -- B&K hosting, DE
$iptloc -t filter -A $chname -s 5.45.176.0/21 -p tcp -j REJECT

# ==== 5.56.12 - 5.56.15 -- Nventa hosting, IT
$iptloc -t filter -A $chname -s 5.56.12.0/22 -p tcp -j REJECT

# ==== 5.56.60 - 5.56.63 -- Gigashosting (Spain)
# $iptloc -t filter -A $chname -s 5.56.56.0/21 -p tcp -j REJECT

# ==== 5.61.32 - 5.61.47 -- Leaseweb hosting
$iptloc -t filter -A $chname -s 5.61.32.0/20 -p tcp -j REJECT

# ==== 5.62.48 - 5.62.55 -- Avast / Privax
$iptloc -t filter -A $chname -s 5.62.48.0/21 -p tcp -j REJECT

# ==== 5.62.152 - 5.62.159 -- Hivelocity / Ogdennet hosting
$iptloc -t filter -A $chname -s 5.62.152.0/21 -p tcp -j REJECT

# ==== 5.63.144 - 5.63.151 -- Hosting Services Ltd
# $iptloc -t filter -A $chname -s 5.63.144.0/21 -p tcp -j REJECT

# ==== 5.79 -- Various EU hosting / Russian
# $iptloc -t filter -A $chname -s 5.79.0.0/16 -p tcp -j REJECT
# 5.79.64 - 5.79.127
$iptloc -t filter -A $chname -s 5.79.64.0/18 -p tcp -j REJECT

# ==== 5.88 - 5.89 -- Vodafone IT
$iptloc -t filter -A $chname -s 5.88.0.0/15 -p tcp -j REJECT

# ==== 5.101.96 - 5.101.103 -- DigitalOcean hosting
$iptloc -t filter -A $chname -s 5.101.96.0/21 -p tcp -j REJECT

# ==== 5.101.168 - 5.101.175 -- UK Dedicated Servers Ltd
$iptloc -t filter -A $chname -s 5.101.168.0/21 -p tcp -j REJECT

# ==== 5.102.168 - 5.102.175 -- Custodian hosting UK
$iptloc -t filter -A $chname -s 5.102.168.0/21 -p tcp -j REJECT

# ==== 5.102.184 - 5.102.191 -- Six Degrees hosting, UK
$iptloc -t filter -A $chname -s 5.102.184.0/21 -p tcp -j REJECT

# ==== 5.135 -- OVH hosting, BE
$iptloc -t filter -A $chname -s 5.135.0.0/16 -p tcp -j REJECT

# ==== 5.144.176 - 5.144.183 -- AHBR hosting, UK
$iptloc -t filter -A $chname -s 5.144.176.0/21 -p tcp -j REJECT

# ==== 5.148.160 - 5.148.191 -- Nine Internet hosting, CH
$iptloc -t filter -A $chname -s 5.148.160.0/19 -p tcp -j REJECT

# ==== 5.149.192 - 5.149.255 -- Poland / hosting
$iptloc -t filter -A $chname -s 5.149.192.0/18 -p tcp -j REJECT

# ==== 5.152.192 - 5.152.223 -- Redstation hosting UK
# $iptloc -t filter -A $chname -s 5.152.192.0/19 -p tcp -j REJECT

# ==== 5.153.224 - 5.153.255 -- Various EU hosting
# $iptloc -t filter -A $chname -s 5.153.224.0/19 -p tcp -j REJECT

# ==== 5.157.80 - 5.157.87 -- Firstfind hosting, NL
$iptloc -t filter -A $chname -s 5.157.80.0/21 -p tcp -j REJECT

# ==== 5.188.192 - 5.188.223 -- Russia
$iptloc -t filter -A $chname -s 5.188.192.0/19 -p tcp -j REJECT

# ==== 5.189.128 - 5.189.191 -- Contabo hosting
$iptloc -t filter -A $chname -s 5.189.128.0/18 -p tcp -j REJECT

# ==== 5.189.200 - 5.189.207 -- Suspicious hosting
$iptloc -t filter -A $chname -s 5.189.200.0/21 -p tcp -j REJECT

# ==== 5.196 -- OVH hosting
$iptloc -t filter -A $chname -s 5.196.0.0/16 -p tcp -j REJECT

# ==== 5.199.128 - 5.199.143 -- myLoc hosting
$iptloc -t filter -A $chname -s 5.199.128.0/20 -p tcp -j REJECT

# ==== 5.226.128 - 5.226.159 -- Various hosting
$iptloc -t filter -A $chname -s 5.226.128.0/19 -p tcp -j REJECT

# ==== 5.230.96 - 5.230.127 -- GhostNet, DE
$iptloc -t filter -A $chname -s 5.230.96.0/19 -p tcp -j REJECT

# ==== 5.249.128 - 5.249.159 -- Aruba Spaz hosting
$iptloc -t filter -A $chname -s 5.249.128.0/19 -p tcp -j REJECT

# ==== 5.254.64 - 5.254.127 -- Voxility, RO
$iptloc -t filter -A $chname -s 5.254.64.0/18 -p tcp -j REJECT

# ==== 5.255.192 - 5.255.255 -- Yandex, RU
$iptloc -t filter -A $chname -s 5.255.192.0/18 -p tcp -j REJECT

Open in new window

Distinguished Expert 2018
Commented:
Alfredo's answer pretty much answers your question.

You should also have a web proxy of some sort, along with some good endpoint protection. Remember that none of the mechanisms are perfect, plus tactics change all of the time.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Can you give me commercially available examples (and perhaps your opinion about...) some of the systems mentioned here:  SPAM filter; web filter; web proxy; antivirus solution; endpoint protection?  (Realize some on this list is repetitive.)
Distinguished Expert 2018
Commented:
What mail system do you have? If 365, Exchange Online Protection is included (which I think isn't good) for spam filtering, but you can also enhance to Advanced Threat Protection.

SPAM filter: Cisco CES, Proofpoint
Web filter/proxy: Blue Coat, Cisco WSA, Untangle
Antivirus: ESET, Symantec, Trend Micro, McAfee
Brian BEE Topic Advisor, Independant Technology Professional
Commented:
I started using an email filter appliance that used RBL (realtime black hole list) and it took care 99% of my spam.

Author

Commented:
Masnrock, in answer to your question what kind of mail system...  It is email provided by my cloud provider.  They are hosting the email server.   We access through webmail.  For me personally I have Outlook on my desktop so I can implement it and access the mail that way.  Others either just use web access or may similarly use Outlook is they have.  So the cloud provider hosts the server, and my group owns the domain.  Does that answer your question?  And does that affect your answer?

Brian B, who is responsible for building the blacklist, my email server provider or the domain owner?
Who makes that email filter appliance you are talking about?
Distinguished Expert 2018
Commented:
Ted, I was using it as a way to see whether you were using O365. However, both spam solutions I have mentioned are cloud offerings.

A lot of solutions use various lists from various sources with reputation information, etc to determine what should get blocked out. But let's be honest, no product is perfect.
EE Topic Advisor, Independant Technology Professional
Commented:
Thanks for adding those details. So basically you are at the mercy of your provider for some services. They most likely already use a spam filter and possibly a blackhole list, although they probably can't be as aggressive because their customer receive email from everywhere. I would also hope they are already blocking spoofing. Perhaps talk to them about what service they provide. For bigger services like GMAIL or Microsoft, you'll probably have to look the information up online.

Author

Commented:
Thank you all.  It was very helpful.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial