DOCSLIB.ORG

End-To-End Measurements of Email Spoofing Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
End-To-End Measurements of Email Spoofing Attacks End-to-End Measurements of Email Spoofing Attacks Hang Hu Gang Wang Virginia Tech Virginia Tech [email protected] [email protected] Abstract email phishing has involved in nearly half of the 2000+ reported security breaches in recent two years, causing a Spear phishing has been a persistent threat to users and leakage of billions of user records [4]. organizations, and yet email providers still face key chal- Email spoofing is a critical step in phishing, where lenges to authenticate incoming emails. As a result, at- the attacker impersonates a trusted entity to gain the tackers can apply spoofing techniques to impersonate a victim’s trust. According to the recent report from the trusted entity to conduct highly deceptive phishing at- Anti-Phishing Working Group (APWG), email spoof- tacks. In this work, we study email spoofing to answer ing is widely in spear phishing attacks to target em- three key questions: (1) How do email providers detect ployees of various businesses [2]. Unfortunately, to- and handle forged emails? (2) Under what conditions can day’s email transmission protocol (SMTP) has no built- forged emails penetrate the defense to reach user inbox? in mechanism to prevent spoofing [56]. It relies on (3) Once the forged email gets in, how email providers email providers to implement SMTP extensions such as warn users? Is the warning truly effective? SPF [40], DKIM [19] and DMARC [50] to authenticate We answer these questions by conducting an end-to- the sender. Since implementing these extensions is vol- end measurement on 35 popular email providers and ex- untary, their adoption rate is far from satisfying. Real- amining user reactions to spoofing through a real-world world measurements conducted in 2015 have shown that spoofing/phishing test. Our key findings are three folds. among Alexa top 1 million domains, 40% have SPF, 1% First, we observe that most email providers have the nec- have DMARC, and even fewer are correctly/strictly con- essary protocols to detect spoofing, but still allow forged figured [23, 27]. emails to reach the user inbox (e.g., Yahoo Mail, iCloud, The limited server-side protection is likely to put users Gmail). Second, once a forged email gets in, most email in a vulnerable position. Since not every sender domain providers have no warning for users, particularly for mo- has adopted SPF/DKIM/DMARC, email providers still bile email apps. Some providers (e.g., Gmail Inbox) even face key challenges to reliably authenticate all the incom- have misleading UIs that make the forged email look au- ing emails. When an email failed the authentication, it is thentic. Third, a few email providers (9/35) have imple- a “blackbox” process in terms of how email providers mented visual security indicators on unverified emails. handle this email. Would forged emails still be deliv- Our phishing experiment shows that security indicators ered to users? If so, how could users know the email is have a positive impact on reducing risky user actions, questionable? Take Gmail for example, Gmail delivers but cannot eliminate the risk. Our study reveals a ma- certain forged emails to the inbox and places a security jor miscommunication between email providers and end- indicator on the sender icon (a red question mark, Fig- users. Improvements at both ends (server-side protocols ure 6(a)). We are curious about how a broader range of and UIs) are needed to bridge the gap. email providers handle forged emails, and how much the security indicators actually help to protect users. 1 Introduction In this paper, we describe our efforts and experience in evaluating the real-world defenses against email spoof- Despite the recent development of the system and net- ing1. We answer the above questions through empiri- work security, human factors still remain a weak link. cal end-to-end spoofing measurements, and a user study. As a result, attackers increasingly rely on phishing tac- tics to breach various target networks [62]. For example, 1Our study has been approved by our local IRB (IRB-17-397). First, we conduct measurements on how popular email ing test where deception is carefully applied such that providers detect and handle forged emails. The key idea users examine the spoofed emails without knowing that is to treat each email provider as a blackbox and vary the email is part of an experiment (with IRB approval). the input (forged emails) to monitor the output (the re- We debrief the users and obtain their consent after the ceiver’s inbox). Our goal is to understand under what experiment. conditions the forged/phishing emails are able to reach Our result shows that security indicators have a pos- the user inbox and what security indicators (if any) are itive impact on reducing risky user actions but cannot used to warn users. Second, to examine how users react eliminate the risk. When a security indicator is not pre- to spoofing emails and the impact of security indicators, sented (the controlled group), out of all the users that we conduct a real-world phishing test in a user study. opened the spoofed email, 48.9% of them eventually We have carefully applied “deception” to examine users’ clicked on the phishing URL in the email. For the other natural reactions to the spoofing emails. group of users to whom we present the security indica- tor, the corresponding click-through rate is slightly lower Measurements. We start by scanning Alexa top 1 (37.2%). The impact is consistently positive for users million hosts from February 2017 to January 2018. We of different demographics (age, gender, education level). confirm that the overall adoption rates of SMTP secu- On the other hand, given the 37.2% click-through rate, rity extensions are still low (SPF 44.9%, DMARC 5.1%). we argue that the security indicator cannot eliminate the This motivates us to examine how email providers handle phishing risk. The server-side security protocols and the incoming emails that failed the authentication. user-end security indicators should be both improved to We conduct end-to-end spoofing experiments on 35 maximize the impact. popular email providers used by billions of users. We find that forged emails can penetrate the majority of Contributions. We have 3 key contributions: email providers (34/35) including Gmail, Yahoo Mail • First, our end-to-end measurement provides new in- and Apple iCloud under proper conditions. Even if sights into how email providers handle forged emails. the receiver performs all the authentication checks (SPF, We reveal the trade-offs between email availability DKIM, DMARC), spoofing an unprotected domain or a and security made by different email providers domain with “relaxed” DMARC policies can help the • Second, we are the first to empirically analyze the forged email to reach the inbox. In addition, spoofing usage of security indicators on spoofed emails. We an “existing contact” of the victim also helps the attacker show that most email providers not only lack the to penetrate email providers (e.g., Hotmail). necessary security indicators (particularly on mobile More surprisingly, while most providers allow forged apps), but also have misleading UIs that help the at- emails to get in, rarely do they warn users of the unver- tackers. ified sender. Only 9 of 35 providers have implemented some security indicators: 8 providers have security in- • Third, we conduct a real-world phishing test to eval- dicators on their web interface (e.g., Gmail) and only 4 uate the effectiveness of the security indicator. We providers (e.g., Naver) have the security indicators con- demonstrate the positive impact (and potential prob- sistently for the mobile apps. There is no security warn- lems) of the security indicator and provide the initial ing if a user uses a third-party email client such as Mi- guidelines for improvement. crosoft Outlook. Even worse, certain email providers The quantitative result in this paper provides an end- have misleading UI elements which help the attacker to to-end view on how spoofed emails could penetrate ma- make forged emails look authentic. For example, when jor email providers and all the way affect the end users. attackers spoof an existing contact (or a user from the We hope the results can draw more attention from the same provider), 25 out of 35 providers will automatically community to promoting the adoption of SMTP security load the spoofed sender’s photo, a name card or the email extensions. In addition, we also seek to raise the atten- history along with the forged email. These UI designs are tion of email providers to designing and deploying more supposed to improve the email usability, but in turn, help effective UI security indicators, particularly for the less the attacker to carry out the deception when the sender protected mobile email apps. We have communicated address is actually spoofed. the results with the Gmail team and offered suggestions Phishing Experiment. While a handful of email to improve the security indicators. providers have implemented security indicators, the real question is how effective they are. We answer this ques- 2 Background and Methodology tion using a user study (N = 488) where participants ex- amine spoofed phishing emails with or without security Today’s email system is built upon the SMTP protocol, indicators on the interface. This is a real-world phish- which was initially designed without security in mind. Sender Service Receiver Service HTTP authorized to send emails for its domain (RFC7208 [40]). MUA HTTP IMAP MUA SMTP MSA MTA SMTP MTA MDA POP For example, if a domain “a.com” published its SPF 1 2 3 record in the DNS, then the receiving email services can Alex a.com b.com Bob check this record to match the sender IP with the sender email address.
Load more

Recommended publications
  • DMARC and Email Authentication
    DMARC and Email Authentication Steve Jones Executive Director DMARC.org Cloud & Messaging Day 2016 Tokyo, Japan November 28th, 2016 What is DMARC.org? • DMARC.org is an independent, non-profit advocate for the use of email authentication • Supported by global industry leaders: Sponsors: Supporters: Copyright © 2016 Trusted Domain Project 2 What Does DMARC Do, Briefly? • DMARC allows the domain owner to signal that fraudulent messages using that domain should be blocked • Mailbox providers use DMARC to detect and block fraudulent messages from reaching your customers • Organizations can use DMARC to perform this filtering on incoming messages – helps protect from some kinds of phishing and “wire transfer fraud” email, also known as Business Email Compromise (BEC) • Encourage your partners/vendors to deploy inbound DMARC filtering for protection when receiving messages • More information available at https://dmarc.org Copyright © 2016 Trusted Domain Project 3 Overview Of Presentation •DMARC Adoption •Case Study - Uber •Technical Challenges •Roadmap Copyright © 2016 Trusted Domain Project 4 DMARC Adoption This section will provide an overview of DMARC adoption since it was introduced, globally and within particular country-specific top-level domains. It will also show how the DMARC policies published by top websites has evolved over the past two years. Copyright © 2016 Trusted Domain Project 5 Deployment & Adoption Highlights 2013: • 60% of 3.3Bn global mailboxes, 80% consumers in US protected • Outlook.com users submitted 50% fewer phishing
    [Show full text]
  • Research Report Email Fraud Landscape, Q2 2018
    2018 Q2 Email Fraud Landscape The Fake Email Crisis 6.4 Billion Fake Messages Every Day Email Fraud Landscape, Q2 2018 Executive Summary The crisis of fake email continues. Far from being merely a “social engineering” issue, fake email is a direct result of technical issues with the way email is implemented: It lacks a built-in authentication mechanism making it all too easy to spoof senders. However, this problem is also amenable to a technical solution, starting with the email authentication standards DMARC, SPF, and DKIM. For the purposes of this report, Valimail used proprietary data from our analysis of billions of email message authentication requests, plus our analysis of more than 3 million publicly accessible DMARC and SPF records, to compile a unique view of the email fraud landscape. Now in its third consecutive quarter, our report shows how the fight against fake email is progressing worldwide, in a variety of industry categories. Key Findings • 6.4 billion fake emails (with fake From: addresses) are sent worldwide every day • The United States continues to lead the world as a source of fake email • The rate of DMARC implementation continues to grow in every industry • DMARC enforcement remains a major challenge, with a failure rate of 75-80 percent in every industry • The rate of SPF usage continues to grow in every industry • SPF errors remain a significant problem • The U.S. federal government leads all other sectors in DMARC usage and DMARC enforcement www.valimail.com 2 2018 Q2 Email Fraud Landscape Life on Planet Email Email continues to be a robust, effective medium for communications worldwide, and it is both the last remaining truly open network in wide use as well as the largest digital network, connecting half the planet.
    [Show full text]
  • End-To-End Measurements of Email Spoofing Attacks
    End-to-End Measurements of Email Spoofing Attacks Hang Hu, Gang Wang [email protected] Computer Science, Virginia Tech Spear Phishing is a Big Threat • Spear phishing: targeted phishing attack, often involves impersonation • 91% of targeted attacks involve spear phishing1 • 95% of state-affiliated espionage attacks are traced to phishing2 1. Enterprise Phishing Susceptibility and Resiliency Report, PhishMe, 2016 2. 2013 Data Beach Investigation Report, Verizon, 2013 2 Real-life Spear Phishing Examples Yahoo DataJohn Breach Podesta’s in 2014 Gmail Account From Google [accounts.googlemail.comAffected] 500HillaryMillion ClintonYahoo! 2016User CampaignAccount Chairman Why can phishers still impersonate others so easily? 3 I Performed a Spear Phishing Test • I impersonated USENIX Security co-chairs to send spoofing emails to my account ([email protected]) Auto-loaded Profile Picture From Adrienne Porter Felt From William Enck Adrienne Porter Felt [email protected] Enck [email protected] [email protected]@ncsu.edu 4 Background: SMTP & Spoofing • Simple Mail Transfer Protocol (SMTP) defined in 1982 • SMTP has no built-in authentication mechanism • Spoof anyone by modifying MAIL FROM field of SMTP HTTP HTTP POP SMTP SMTP IMAP William ncsu.edu vt.edu Hang Mail Server Mail Server SMTP MAIL FROM: [email protected] Attacker Mail Server 5 Existing Anti-spoofing Protocols MAIL FROM: [email protected] Process SMTP, 1982 IP: 1.2.3.4 ncsu.edu Sender Policy Framework (SPF), 2002 • IP based authentication Publish authorized? the IP Is vt.edu Yes IP authorized?
    [Show full text]
  • Erasmus Mundus Master's Journalism and Media Within Globalisation: The
    Erasmus Mundus Master’s Journalism and Media within Globalisation: The European Perspective. Blue Book 2009-2011 The 2009- 2011 Masters group includes 49 students from all over the world: Australia, Brazil, Britain, Canada, China, Czech, Cuba, Denmark, Egypt, Ethiopia, Finland, France, Germany, India, Italy, Kenya, Kyrgyzstan, Norway, Panama, Philippines, Poland, Portugal, Serbia, South Africa, Spain, Ukraine and USA. 1 Mundus Masters Journalism and Media class of 2009-2011. Family name First name Nationality Email Specialism Lopez Belinda Australia lopez.belinda[at]gmail.com London City d'Essen Caroline Brazil/France caroldessen[at]yahoo.com.br Hamburg Werber Cassie Britain cassiewerber[at]gmail.com London City Baker Amy Canada amyabaker[at]gmail.com Swansea Halas Sarka Canada/Czech sarkahalasova[at]gmail.com London City Diao Ying China dydiaoying[at]gmail.com London City Piñero Roig Jennifer Cuba jenniferpiero[at]yahoo.es Hamburg Jørgensen Charlotte Denmark charlotte_j84[at]hotmail.com Hamburg Poulsen Martin Kiil Denmark poulsen[at]martinkiil.dk Swansea Billie Nasrin Sharif Denmark Nasrin.Billie[at]gmail.com Swansea Zidore Christensen Ida Denmark IdaZidore[at]gmail.com Swansea Sørensen Lasse Berg Denmark lasseberg[at]gmail.com London City Hansen Mads Stampe Denmark Mads_Stampe[at]hotmail.com London City Al Mojaddidi Sarah Egypt mojaddidi[at]gmail.com Swansea Gebeyehu Abel Adamu Ethiopia abeltesha2003[at]gmail.com Swansea Eronen Eeva Marjatta Finland eeva.eronen[at]iki.fi London City Abbadi Naouel France naouel.mohamed[at]univ-lyon2.fr
    [Show full text]
  • Acid-H1-2021-Report.Pdf
    AGARI CYBER INTELLIGENCE DIVISION REPORT H1 2021 Email Fraud & Identity Deception Trends Global Insights from the Agari Identity Graph™ © Copyright 2021 Agari Data, Inc. Executive Summary Call it a case of locking the back window while leaving the front door wide open. A year into the pandemic and amid successful attacks on GoDaddy1, Magellan Health², and a continuous stream of revelations about the SolarWinds “hack of the decade,” cyber-attackers are proving all too successful at circumventing the elaborate defenses erected against them³. But despite billions spent on perimeter and endpoint security, phishing and business email compromise (BEC) scams continue to be the primary attack vectors into organizations, often giving threat actors the toehold they need to wreak havoc. In addition to nearly $7.5 billion in direct losses each year, advanced email threats like the kind implicated in the SolarWinds case⁴ suggest the price tag could be much higher. As corroborated in this analysis from the Agari Cyber Intelligence Division (ACID), the success of these attacks is growing far less reliant on complex technology than on savvy social engineering ploys that easily evade most of the email defenses in use today. Sophisticated New BEC Actors Signal Serious Consequences Credential phishing accounted for 63% of all phishing attacks during the second half of 2020 as schemes related to COVID-19 gave way to a sharp rise in payroll diversion scams, as well as fraudulent Zoom, Microsoft and Amazon alerts targeting millions of corporate employees working from home. Meanwhile, the state- sponsored operatives behind the SolarWinds hack were just a few of the more sophisticated threat actors moving into vendor email compromise (VEC) and other forms of BEC.
    [Show full text]
  • SECURITY GUIDE with Internet Use on the Rise, Cybercrime Is Big Business
    SECURITY GUIDE With internet use on the rise, cybercrime is big business. Computer savvy hackers and opportunistic spammers are constantly trying to steal or scam money from internet users. PayPal works hard to keep your information secure. We have lots of security measures in place that help protect your personal and financial information. PayPal security key Encryption This provides extra security when When you communicate with Here’s you log in to PayPal and eBay. When PayPal online or on your mobile, how to get you opt for a mobile security key, the information you provide is we’ll SMS you a random 6 digit encrypted. This means it can only a security key code to enter with your password be read by you. A padlock symbol when you log in to your accounts. is displayed on the right side of your 1. Log in to your PayPal You can also buy a credit card sized web browser to let you know you account at device that will generate this code. are viewing a secure web page. www.paypal.com.au Visit our website and click Security to learn more. Automatic timeout period 2. Click Profile then If you’re logged into PayPal and My settings. Website identity verification there’s been no activity for 15 3. Click Get started beside If your web browser supports an minutes, we’ll log you out to help “Security key.” Extended Validation Certificate, the stop anyone from accessing your address bar will turn green when information or transferring funds 4. Click Get security key you’re on PayPal’s site.
    [Show full text]
  • View Presentation Slides
    www.staysafeonline.org Goal of 5-Step Approach Is Resilience Know the threats Detect problems Know what recovery and Identify and and respond quickly looks like and prepare Protect your assets and appropriately Thanks to our National Sponsors Corey Allert, Manager Network Security How to identify SPAM and protect yourself Corey Allert 8/14/2018 Confidential Definitions • Spam is the practice of sending unsolicited e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients. • Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. • Spoofing is e-mail activity in which the sender address is altered to appear as though the e-mail originated from a different source. Email doesn't provide any authentication, it is very easy to impersonate and forge emails. • Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid 8/14/2018 Where does spam come from? • Spam today is sent via “bot-nets”, networks of virus- or worm-infected personal computers in homes and offices around the globe. • Some worms install a backdoor which allows the spammer access to the computer and use it for malicious purposes. • Others steal credentials for public or small company email accounts and send spam from there. • A common misconception is that spam is blocked based on the sending email address. • Spam is primarily identified by sending IP address and content.
    [Show full text]
  • DHS Mandates DMARC for Email Security
    Agari U.S. Federal Government DMARC Adoption: DHS Mandates DMARC for Email Security Executive Summary On October 16, 2017, the U.S. Department of Homeland Security issued a Binding Operational Directive (BOD) 18-01 that mandates the implementation of specific security standards to strengthen email and 82% of all Federal domains have no web site security. As part of this directive, all federal agencies that operate DMARC policy .gov email domains must implement a DMARC monitoring policy (p=none) within 90 days. Furthermore, all federal agencies must move to a reject policy (p=reject) by 1 year. Based on Agari research of public DNS records, 82% percent of all US Federal Government domains do not have a DMARC policy, leaving their constituents unprotected from phishing and other forms of email attacks 86% of Federal that impersonate their agency email domains. Cybercriminals exploit this domains that use DMARC choose Agari 1 vulnerability by sending billions of phishing emails per year claiming to be from these government agencies. 1 Includes all domains that send aggregate data to a 3rd party DMARC vendor. 1 | www.agari.com Email Abuse on Federal Agency Domains Phishing continues to be a pervasive threat in the United States and around the world.The impact of these threats has been felt specifically by government agencies. Beyond the high-profile targeted attacks that have made headlines, criminals are executing phishing attacks leveraging the brand name of agencies. Indeed, over the last six months, Agari has seen an amplification of attacks against our Federal customers. As the following chart indicates, on the email-sending and defensive domains that we monitor, 25% of email volume was malicious or failing authentication.
    [Show full text]
  • From SEG to SEC: the Rise of the Next-Generation Secure Email Cloud Executive Summary the Time for Next-Generation Email Security Is Now
    WHITE PAPER From SEG to SEC: The Rise of the Next-Generation Secure Email Cloud Executive Summary The Time for Next-Generation Email Security is Now The secure email gateway (SEG) worked for a number of years, but the SEG is no match for a new generation of rapidly evolving advanced The FBI email attacks that use identity deception to trick recipients. With estimates business email compromise scams, spear-phishing attacks, and data breaches, along with other types of crime, cybercriminals are seeing 20,000 massive success to the tune of $2.71 billion each year in the United victims lost States. At the same time that cybercriminals are evolving their tactics, $1.3B businesses are shedding on-premises infrastructure, moving en in 2018 from masse to cloud-based platforms such as Microsoft Office 365 or G business email Suite. These platforms provide native support for anti-spam, virus compromise and malware blocking, email archiving, content filtering, and even sandboxing, but they lack when it comes to protecting against in the United advanced email threats that use identity deception techniques to trick States alone. recipients. This move to cloud-based email and the onslaught of zero-day attacks that successfully penetrate the inbox are shifting email security from signature-based inspection of email on receipt to continuous detection and response using machine learning to detect fraudulent emails and to hunt down latent threats that escaped initial detection or have activated post-delivery. As a result, the Secure Email Cloud has emerged. This AI, graph-based approach detects advanced email attacks and cuts incident response time up to 95% in an effort to reduce the risk of business disruption and the rapidly increasing financial losses from data breaches, ransomware, and phishing.
    [Show full text]
  • Download Our Fraud and Cybercrime Vulnerabilities On
    Fraud and cybercrime vulnerabilities on AIM Research into the risks impacting the top 200 AIM listed businesses Audit / Tax / Advisory / Risk Smart decisions. Lasting value. 2 Contents Introduction 5 Key findings 6 Case studies and examples 12 What should organisations do? 18 Organisations and authors profile 20 Appendices 23 Fraud and cybercrime vulnerabilities on AIM 3 Introduction Key findings Ransomware Risk1 47.5% of companies had at least one external 1 internet service exposed, which would place them at a higher risk of a ransomware attack. Email Spoofing 91.5% of companies analysed were 2 exposed to having their email addresses spoofed. Vulnerable Services 85% of companies were running at least one 3 service, such as an email server or web server, with a well-known vulnerability to a cyber attack. Out of Date Software 41.5% of companies had at least one service 4 that was using software which was out of date, no longer supported and vulnerable to cyber attack. Certificate Issues 31.5% of companies had at least 5 one internet security certificate which had expired, been revoked or distrusted. Domain registration risks 64% of companies had at least one domain 6 registered to a personal or individual email address. 1 A new category of risk that was not included in the previous KYND / Crowe analysis of legal firms. Please see ‘Ransomware Risk’ in this report for further context. 4 Introduction There has been a surge in fraud and cybercrime in the UK and AIM listed businesses are not immune. Irrespective of size, listed businesses The impact of a cyber attract cybercriminals due to their visibility and the opportunity to breach could be use share price as leverage to devastating, including extract ransom payments.
    [Show full text]
  • Characterization of Portuguese Web Searches
    FACULDADE DE ENGENHARIA DA UNIVERSIDADE DO PORTO Characterization of Portuguese Web Searches Rui Ribeiro Master in Informatics and Computing Engineering Supervisor: Sérgio Nunes (PhD) July 11, 2011 Characterization of Portuguese Web Searches Rui Ribeiro Master in Informatics and Computing Engineering Approved in oral examination by the committee: Chair: João Pascoal Faria (PhD) External Examiner: Daniel Coelho Gomes (PhD) Supervisor: Sérgio Sobral Nunes (PhD) 5st July, 2011 Abstract Nowadays the Web can be seen as a worldwide library, being one of the main access points to information. The large amount of information available on websites all around the world raises the need for mechanisms capable of searching and retrieving relevant information for the user. Information retrieval systems arise in this context, as systems capable of searching large amounts of information and retrieving relevant information in the user’s perspective. On the Web, search engines are the main information retrieval sys- tems. The search engine returns a list of possible relevant websites for the user, according to his search, trying to fulfill his information need. The need to know what users search for in a search engine led to the development of methodologies that can answer this problem and provide statistical data for analysis. Many search engines store the information about all queries made in files called trans- action logs. The information stored in these logs can vary, but most of them contain information about the user, query date and time and the content of the query itself. With the analysis of these logs, it is possible to get information about the number of queries made on the search engine, the mean terms per query, the mean session duration or the most common topics.
    [Show full text]
  • Using Dmarc to Improve Your Email Reputation Zink
    USING DMARC TO IMPROVE YOUR EMAIL REPUTATION ZINK USING DMARC TO IMPROVE up with ways to mitigate this problem using two primary technologies. YOUR EMAIL REPUTATION Terry Zink 1.1 Terminology Microsoft, USA In email, people naturally thing that the sender of the message is the one in the From: fi eld – the one that they see in their email Email [email protected] client. For example, suppose that you are a travel enthusiast and you receive the email shown in Figure 3. You received the message ‘from’ [email protected], right? Wrong. ABSTRACT In email, there are two ‘From’ addresses: In 2012, the world of email fi ltering created a new tool to combat 1. The SMTP MAIL FROM, otherwise known as the RFC spam and phishing: DMARC [1, 2]. DMARC, or Domain-based 5321.MailFrom [3]. This is the email address to which the Message Authentication, Reporting & Conformance, is a technology that is designed to prevent spammers from From [email protected] <[email protected]> forging the sender, thus making brands more resistant to Subject Receipt for your Payment to Penguin Magic abuse. However, its most powerful feature is the built-in To Me reporting mechanism that lets brand owners know they are being spoofed. June 10, 2014 08:42:54 PDT DMARC has its upsides, and it is very useful for Transaction ID: 8KAHSL918102341 preventing spoofi ng, but it also has some drawbacks – it will fl ag some legitimate email as spam, and it will Hello Terry Zink, cause some short-term pain. You sent a payment of $427.25 USD to Penguin Magic.
    [Show full text]