Email spoofing, which allows attackers to send emails seemingly from trusted sources, is a fundamental security issue that has existed since Simple Mail Transfer Protocol (SMTP), the protocol for sending emails, was first put into use in the early 1980s. The attack is simple because SMTP allows the sender to set the email address it is sending from freely. Currently, there are three free technical controls (SPF, DKIM, and DMARC) available to companies to prevent email spoofing from their domain, but not enough domains use these technical controls for them to be effective. That means surprisingly few domains are protected against email spoofing.
“Fortunately, any company can be protected against email spoofing with some simple steps,” said Alex DeFreese, a Security Analyst at Bishop Fox who developed the new tool for checking a company’s susceptibility to email spoofing.
First, companies must safeguard their company’s domain by checking the company’s DNS records for SPF and DMARC. Make sure that the company’s domain has a properly configured SPF record and a DMARC record with a policy of quarantine or reject. Then, use Spoofcheck to check if the domain is sufficiently protected.
“Sometimes there are technical reasons why a domain cannot be protected with DMARC. One of the most common reasons is that the company uses a managed email system that doesn’t support DKIM yet. In this case, implement a strong SPF record and voice your concerns to your email provider,” explained DeFreese.
To protect your company from external threats, your email server must also be configured to mark emails that fail SPF as spam. SPF was designed to be used alone, and 40% of the top million domains have SPF records. Seventy percent of the top one thousand domains have SPF records. By configuring the mail server to respect SPF even without DMARC, the domain is protected from a vast array of future attacks.
Most importantly, these protections only work if companies use them. These technical controls might seem simple, but they can go a long way to help companies protect themselves and others from this very real threat.
“It’s 2017, and we’re still vulnerable to an attack from the ’80s,” added DeFreese. “We hope that companies will use our tool to see how vulnerable they are, and will be motivated to strengthen their protections to make email spoofing just another chapter of hacker history.”
About Bishop Fox
Bishop Fox is an independent cybersecurity firm that protects businesses from today’s increasing security threats. Since 2005, the firm has provided assessment and penetration testing and enterprise security consulting services to the world’s leading organizations.
SOURCE Bishop Fox