Whether you run a web host or a managed service provider (MSP), email is a major factor when considering what will be supported. Email service is expected of web hosts, and an MSP will find that customers will ask for email support services. For any email service, cybersecurity in the form of spam solutions and email protection from phishing are necessary to protect users from phishing, malware, credential theft, and any other email-based attack.
In 2020 during the pandemic lockdowns, organizations were forced to allow employees to work from home. The at-home workplace is a mainstay for many organizations that soon realized the benefits of remote work. Employees appreciated the remote work so that they could have a better life-work balance. Organizations required fewer employees in the office, which saves on real estate and equipment.
Threat actors work with fear and leveraged the reduced cybersecurity from an at-home workforce and ramped up phishing campaigns. Security researchers reported a huge increase in phishing attacks in 2020, and many organizations fell victim. Employees working from home did not have the enterprise-level cybersecurity necessary to protect business data available on home personal computers, which led to data breaches from simple phishing campaigns.
In a sophisticated attack, the email headers are spoofed, most importantly the sender address. If an email server does not require authentication, any user can send email from the server. Spam servers allow anyone to send email messages, so attackers can use these servers to send messages with a spoofed header. In a spoofed sender message, the sender can be modified to be anyone from any official organization.
If no email security is added to the recipient’s email server, the recipient will receive malicious spoofed messages in their inbox. Some personal email services such as Gmail will detect spoofed sender headers and put it in the spam inbox. Some users still peruse the spam inbox and still fall victim to phishing. So it’s not a perfect solution especially when business data can be stolen on the local device.
It’s probable that many at-home workers mixed their work machine with their personal devices, leaving an organization’s data at risk from a breach. Even with enterprise-level anti-malware installed on work devices, business administrators cannot control data transfers to personal devices. Because the COVID-19 lockdowns were sudden and unexpected, businesses did not have time to implement the right security, including filters to protect from phishing.
We recently held a webinar with Osterman Research demonstrating how to reduce the risk of phishing and ransomeware. Download the guide here.
Or watch the webinar here.
With users working from home, many organizations chose to implement cloud infrastructure to make it easier for users to gain access to important productivity applications. Included with this cloud infrastructure was email servers hosted off-site. Cloud providers offer control over email servers, but many cloud-based email filtering solutions are available.
When implementing email spam filters, a few techniques can be used to stop incoming messages. These settings must be configured by the administrator or the MSP in charge of managing email services. They can be then monitored after implementation to ensure that no false negatives allowed malicious emails to reach the targeted user.
Reputation-based email filters contain a list of blacklisted domains and server IP addresses that immediately block any messages that come from these networks. This technique is similar to the way content filters work by blocking any reported domains known to allow malicious messages.
Another method is content analysis based off message scans. Specific words are generally malicious and can be triggers for filters. Many private email message services use this method, but it’s ineffective on its own. It should be combined with reputation-based filters to ensure that alternative spellings and methods to bypass these filters cannot be used.
Spammers and phishing attackers continue to register new domains to bypass reputation-based filters. To give administrators full control in these situations, the email filtering solution will have ways to blacklist, whitelist, and greylist IP addresses and domains. Blacklisted domains are blocked no matter what is in messages, and whitelisting domains has the opposite effect by allowing messages regardless if the domain is registered as malicious.
Greylist are a hybrid of both a whitelist and a blacklist. The system can build a greylist dynamically based on attacks, but administrators can also build their own greylist. A greylist is a list of blocked IP address and domains that are only filtered for a short amount of time.
Legitimate email servers will receive a failed message and attempt to send it later. As time passes, the domain drops from the greylist, and the message will be successfully sent to the user’s inbox.
In sophisticated email filtering solutions, the system detects malicious messages in real-time. It compares incoming messages with a database of blacklisted IP address where spam and other malicious content is known to come from. Greylisting takes it a step further and detects malicious messages even with the source is from an unknown IP address so that attackers can not use new domains to evade detection.
Greylisting uses a secondary method to determine legitimate email messages. For unknown sources, the recipient email server rejects the email and sends it back to the originating email server instructing it to send the message again. Legitimate email servers detect the message and return it again to the recipient within minutes. The message is then cleared by the recipient’s email filters, and it’s sent to the targeted user.
Short delays should be expected with this email filtering strategy, but it’s a much more secure method than simply allowing messages to pass through from unknown sources. For further tuning, the email administrator can still add the sender to a blacklist or a whitelist to control the messages within a greylist.
No matter the strategy, email filtering is necessary to protect users from phishing. A good solution will allow administrators to configure the way the system will handle messages, but greylisting is one of the most important features to look for. A real-time greylist is essential in an enterprise, especially if the email server is located in the cloud.
Looking for an email spam solution for your organization? Sign up for SpamTitan's Free 14-Day Trial.
