Don’t Spoof me Bro!

Transcript:

Andrew Bonar 0:00
If you've got 100 people, that was nice, I've only got 1000 on my list, should I start testing? Maybe start experimenting, now think about it, but it's gonna be a lot of work. So think about how much time it will be fair enough. And up next we have a long term, huge supporter of female expert inbox expert in everything that we do. LB Blair sends or is responsible for people that send billions of messages and making sure that they get delivered properly. So yeah, there is. Yeah, she's she's up there with the best in terms of deliverability. What she's about to present is going to be full of amazing information. And I'm always, always very keen to hear very best fairly geeky presentations.

LoriBeth Blair 0:49
Good morning, everyone. Yeah, I hope you're ready to get nerdy about email spoofing this morning. Well, email and traffic spoofing in general, we're going to cover a few different security topics here. So without further ado, don't spoof me, bro. So there are three main types of spoofing that we're going to cover today, there's email spoofing, which is probably what concerns most of you. But there's also you also have to be concerned about IP spoofing, and also even DNS spoofing. And these are some topics we're going to cover, you know, from the perspective of trying to make, you know, trying to make us all better, netizens a little bit safer online. And because some of these attacks, the best way to stop them, is just being educated about them and knowing to look for them. So what is email spoofing? email spoofing is when a malicious actor and I'll say definitely don't play this game, every time I say the word malicious, do not take a shot, you'll probably end up dead by the end of this presentation. So email spoofing is when a malicious actor sends a message with forged sender addresses. Now, what is that afford sender address arises from the fact that in the SMTP protocol, there was no authentication really baked into that protocol. So it's really easy for some kind of malicious actor to just report that they they're sending traffic from any domain they want from any server that they want. Like, there's nothing really technologically that stops, you know, hackers from just, you know, spinning up even a server on their local computer and sending from absolutely whatever domain they can think of, to punch into the, you know, the from address. So, and typically, the purpose of a spoof message is to trick the recipient into thinking that the email is coming from somewhere reputable, that, you know, it's coming from somewhere that they should trust. So, and why would anybody want to do that? Well, there's lots of reasons. The most typical two are to you know, either fish get you to fill out, provide them with information to fish, you know, your credit card information, your identity information that can be used to, you know, steal your identity, and which I guess is another type of spoofing identity spoofing. And, you know, the other popular one is to try and get you to click a link to send you to a site full of malware that will then infest your computer with malware, which then allows them to fish your information and do whatever else they want and probably use your computer to farm Bitcoin or something. So some interesting statistics on the impact of email spoofing. It's estimated that more than 3 billion spoof messages are sent per day, that is just a tremendous amount of traffic. And I don't envy, the spam filters that have to deal with that. And the other thing to be aware of, you know, and the reason you should always be skeptical when going through your inbox, is that more than 90% of cyber attacks, start with an email, email, still a very, very popular vehicle for delivery of malware, information, phishing, spear phishing, all of that. And I think one, you know, particularly, you know, interesting thing is that it's estimated since like 2016, that the impact of the financial impact of phishing and spoofing has been $26 billion. So you know, that that amount of information and stolen from people, just one small example back in 2014, Upserve Smith laboratories, and this was probably one of the most notable examples Have spearfishing. But they were scammed out of 39 $39 million in just three weeks when spoofers essentially impersonated their CEO and sent, you know, emails to the accounting department saying, hey, I need you to make a wire transfer here. They're everywhere, you know, and they. So clearly, here's the motivation for you know, why would anybody want to spoof well, some group made $39,000,000.03 weeks.

So there's some important things you can do as a sender to prevent your domain from being spoofed. And the most important one is to set up your authentication, let email, let the email receiving servers of the world know that your traffic, you know what, how to determine what isn't is not legitimate traffic coming from your domain. You know, the oldest protocol here is SPF Sender Policy Framework. It's been around a long time, like over 20 years. And that just simply allows you to specify which IP addresses, essentially which email servers are allowed to send email on behalf of your domain. So it's really helpful for just screening out, you know, rogue servers out there that might try to use your domain. The other one that's super important is DKM, or DomainKeys, Identified Mail, it uses public private key encryption, to essentially seal your email, you know, Zip up your email, at the at the sending server, and then allows the receiving server to retrieve the public key from your DNS and then validate that you know, the hashes in the email match. And that it is in fact, and it's signed by your domain, and then it's, in fact, a legitimate email from your domain. And then I would say probably the most important, you know, anti spoofing policy is demark. And essentially, it isn't, is authentication standard, that is a policy you deploy to your domain, that dictates how SPF and DKIM need to pass in order for it to be considered a legitimate email from your domain. And I'm gonna add one other critical note to demark. If you're going to set up demark, for the love of all, that's good, please tie a reporting platform to it and actually monitor the reports on at least you know, a weekly basis. But if you're sending, you know, millions of emails a day, it's not unreasonable to check that daily or better yet set up some alerting on it so that you know, if your compliance percentage, if your compliance percentage deviates by you know, a few percent, really, I like to see all of my sunders at like demark compliance percentages of like, 98 99%, it should be really pretty high. And if it dips below that, you may have a spoofing problem. So you want to dig into that unauthenticated traffic, or you know that that traffic that's failing demark or that's failing, demark authentication, but I've seen some really, you know, interesting examples, where you know, you can look at that demark and information and find out which IP addresses are spoofing your domain, where those IP addresses are hosted, you know, who owns them, and then issue a takedown request and say, hey, you've got some rogue servers over here that are claiming to send email on behalf of my domain, which I do not authorize, Please make it stop. Now, how to protect on the receiving side of things? How do we protect ourselves from spoofed emails? And I'd say there's two really key components here. spam filtering, of course, is a huge one. And I'm not going to get into the nitty gritty details of that, because it would be its own presentation. But, you know, essentially, they use, they filter out malicious known malicious content, things that match, you know, content signatures that are malicious. Or they can filter out known malicious IPs, like we were talking and domains like we were talking about yesterday, which is another reason why it's important to authenticate your email because you don't want to end up on the known malicious domains list. You know, if somebody's spoofing your domain, and sending out really bad phishing emails, you could end up on one of those lists until you fix the problem. The other super important one is what we're doing right now user education. You know, make sure that your users are skeptical when they're in in their inboxes you know, if you manage email servers for for your the internal network for your company, you know, you've got to educate the users and make sure they know what to look for. Here are a few life pro tips for everybody. When you're looking through your inbox, and some things to think about when you're being skeptical, you know, ignore emails that don't have anything in the sender name, you know, just feel free to delete without, you know, reported as spam deleted without reading, don't even open it.

Ignore emails that come to you and just have a lake link in the body of the email, definitely don't want to click that if you don't know anything about it, if you're not expecting it. If you don't recognize who the sender is, you probably don't want to open that email. And then the other you know, really popular one is for them to send it with your from name. So you definitely want to ignore any email that comes along and says that it came from you when you're like, I don't remember sending that at 3am or whatever. So the other thing that we're going to look into so now that we've protected our domains, against spoofing, we're going to look at a couple of other a couple other types of spoofing. One of them is is IP spoofing. And the purpose behind IP spoofing is for malicious actors to essentially hide where they're actually located. Because again, you know, known malicious IPs and upon block lists, and these are used in a variety of ways, as we kind of talked about yesterday, they're, you know, they're used not only for screening email traffic, but they're also used for screening web traffic in general, you can, you know, you can use an IP block list to say, Oh, well, I don't want any of these known malicious IPs, even accessing my web forms and submitting info information into there. So, you know, without getting too technical on it, IP spoofing it, you know, is typically you alter the source address of an internet packet, you know, the internet is just a series of tubes through which we use packets of information. And typically, you know, spoofers will try to alter those packets, and impersonate another computer system, just like, you know, somebody could steal your identity and impersonate you to get a credit card or something. The spoofers will steal legitimate server or computer identities. And, you know, purport to come from there in order to steal information, infect systems with malware, all that good stuff. And what happens typically in these situations is they try to redirect traffic, you know, from legitimate sources, to their legitimate sources. So, the, yeah, and the other thing they can do, you know, essentially, they want to trick they want to trick computer systems instead of people. This is more tricking your computer systems and not individual users. But they want to trick your computer system into thinking, Oh, no, you can totally trust this traffic. It's from a legitimate source. Everything's good, when in fact, it's not. So the most important way to protect yourself against IP spoofing is TLS encryption. For any of you that like to go digging around and Google postmaster tools like me, you'll notice that one of the dashboards that Google provides, is to show you know whether or not your traffic is TLS encrypted, it always should be very important, and mostly ESPs. Every ESB I've ever worked with handles this very well. So, you know, an encryption just means that the traffic is not transmitted in like clear text, and it's protected by a security layer to prevent unauthorized access. Other important things to protect against protect your systems against IP spoofing are firewalls with packet level filtering that will like look at the individual packets and go, That one doesn't quite look right, I'm gonna throw that packet out. I'm gonna bounce it back, I'm gonna put it in the quarantine folder, whatever I think is best to do with it. But I'm not going to accept that packet and I'm not going to send it on to my end user. anti virus software is also super important, especially keeping it up to date. Keep your keep your virus definitions as your your reminder, your yearly reminder or more, I probably will give more reminders if I get more chances, but keep your antivirus software up to date. Because this is kind of your last line of defense in the event that some spoof traffic does get through, you know, your systems firewall through your packet filtering.

Another way, because, you know, as we were kind of talking, you know, security, internet security is kind of a never ending game of Whack a Mole. You know, as soon as we come up with ways to secure the or net, the hackers, the spoofers, the malicious actors, they find a way around that. So another way that they can try to infest the internet is through DNS spoofing, also called DNS cache poisoning. And basically, it's kind of similar to the IP spoofing in that it results in users being redirected to malicious websites, it relies on the DNS or domain name system. That is essentially how you look up information on the web, you know, when you type in, you know, email expert.com, that actually reserved resolves to an IP address that is specified in the DNS for the specified in the DNS for email expert, you know, in the zone file. And this is typically achieved by hackers through exploiting flaws in the DNS software, among a couple of, you know, among a couple of other methods, but basically getting the DNS software, instead of directing you to whatever actual IP that you know, email expert.com specified, it tries to redirect you to a malicious IP instead. And the really insidious thing is that whatever website they direct you to, might look like an exact clone of the legitimate website. That's why this one is particularly dangerous, because they can make everything looked the same. But when you hit submit, your information is going to their web servers, or, you know, if you click a link to download that calendar invite or something, you're actually getting a virus instead. So tactics to you know, DNS spoofing tactics that you want to be aware of, especially if your security professional to look out for. So there's DNS hijacking or redirection, which attacks an individual user's computer typically, or well, or the DNS server to essentially redirect users to malicious sites. Again, it was like the example I was talking about where you're trying to go to email expert.com. And instead of going to their actual servers IP address, you end up at some hackers server IP address. The other the other thing is the router DNS hijack, because you know, your internet router, even in your house has to, you know, route you to the correct IP address, you know, based on the information in the DNS, so if a hacker gets access to your router, they can say, oh, no, don't go, don't go to this IP address, go to that one. And you think you're going to email expert.com When in fact, that's not you know, you're headed to some hacker website.com Only, it looks like it's email expert.com. That's the dangerous thing. Other things that other things that can happen, or what's known as a man in the middle attack, which are where hackers actually, you know, intercept live traffic, and then say, Oh, it was going to, you know, destination a, let's send it to destination B, instead. And the other one that you know, users can really help protect themselves against are called homograph attacks. So or, you know, a popular example would be like, you know, especially on like, anytime you're accessing your financial websites, turn your skepticism level up to 11. Because, you know, for example, if you're trying to go to paypal.com, you would want to look out for a website, that maybe they changed that L on the end to a capital I. So it would look almost, you know, identical to paypal.com. But instead, it's sending you to a hacker website to steal your information. Or, you know, for example, instead of.com, they might replace the O with a zero. And especially, you know, if they put the domain name in all caps, it's really hard to tell that it's a zero instead of an o and boom, you're getting fished, you're getting malware, all kinds of bad stuff.

So, you know, number one pro tip, don't leave your routers or servers, especially not the admin users on the default password. Definitely have heard, I think we've all heard horror stories of that happening. You know, educate yourself about what a homograph attack is, and some common examples so that, you know, you don't click on Email expert dot c, zero m, instead of, you know, actual email expert.com. Other important things are end to end encryption, which really help against man in the middle attacks. You know, so if the traffic is encrypted, there's not really a way for hackers to intercept it and change that information or the systems that handle the encryption will at least know that the traffic's been interfered with. And then there's also DNS sec, which is a way to secure DNS information against DNS hijacking. And basically, it uses public private key encryption, you're gonna hear that a lot, just like, you know, DKM signing does for our email traffic, uses public private key encryption for DNS information, to make sure that, you know, when you're trying to go to email expert.com, that's exactly where you land. And yeah, I think that is, that is all that I have for today. So you know, most important tips, update your antivirus, you know, whether it's your personal computer, whether it's the servers you manage for your company, and educate yourself, be be aware of what's going on in the security space, because that's, that's the best way to protect yourself against, you know, against cyber attacks, and really help us minimize the impact of, you know, of spoofing. So like I said, let's, let's bring that number down, over the next five years, hopefully, from you know, 26 billion to something a lot lower. Because if we reduce the financial incentive for hackers to do what they do, hopefully they'll stop, or at least do it a little bit less. Anybody have any questions for me? Oh, happy Oh. Let's see here. Yeah, we've got a couple of questions online. Let's see what we've got I am. Yeah, no, I think somebody online pointed out that, you know, just setting up having just having your authentication setup, you know, even if you're not monitoring it, like yours should be what you really should be, you know, just setting it up makes you a less attractive target. And, you know, hackers are lazy. They, they go after the easiest prey that they can find. So yeah, just setting up your authentication, your SPF, your decom, your demark is going to make you a much less attractive target as a brand for senders or for spoofers. So it's always a good step. But I would definitely say, one thing that I saw, you know, in my time monitoring, you know, millions and millions and billions, you know, worth of demark reporting data is the hackers are getting a little bit more bold or more desperate, whichever way you want to look at it. Because I've seen them actually spoofing people that have demark set up on their domain. And that's why it is important to monitor your demark reporting information. So you can catch those spoofing attacks, before they really have a chance to damage your domain reputation. Any anybody else have any questions for me?

Andrew Bonar 23:21
Rather than actually using that they're saving me too. And I think we need to make the point that it's really, really easy to stop people spoofing those domains. So whilst you need to protect your own brand domains, I would like to, yeah, maybe Beth doesn't want to lecture people. But people need a lecture on this. Because I'm as guilty as anyone else, we need to protect those domains that we're just saving for a rainy day. Just stop people using them spoof mail. Yeah, it's really

LoriBeth Blair 23:49
easy. If you want to reach out to me on LinkedIn, I will give you or maybe we can publish a little blog on email experts, some records that you can publish to those domains that you're not using. For example, you can publish a an SPF record that just says literally reject every IP that tries to send on behalf of this domain. And that makes it super easy for you what you want to do as a sender, you want to make it really easy for mailbox providers like Gmail and Hotmail and Yahoo and AOL to identify what isn't, is not legitimate traffic, because the less you know, processing cycles, the less thought that they have to put into that, the more they're, they're going to appreciate that. And they're going to, you know, actually give your authenticated traffic a little bit better of a chance of getting through. But ya know, definitely super important you can use and you can configure your demark to reject you know, so any domains that you'd have parked as we call it, absolutely set up an SPF record that says just don't don't send any I don't send any traffic from this domain and set up your demark record to say, you know, reject any traffic but doesn't Pass strict SPF authentication, and boom, you're done. Your your park domains are secured, because the last thing you'd want is, you know, if you're like me and you park domains for business ideas you have on rainy days, and then you come back to it. Well, if you find out, it's been sending a ton of spoof traffic, you're already starting off on the backfoot. You know, if you actually want to send email from it, well, now you got to fix the reputation. And especially if it's got a reputation of sending malicious traffic, that's a really hard one to overcome. You're gonna be reaching out to gmail and hotmail, and Yahoo, and everywhere to get them to unblock you before you even start.

Andrew Bonar 25:37
Thank you so much. I'll be it was a really important presentation. I hope everyone took notes. And yeah, we have one question time for one question.

LoriBeth Blair 25:51
I definitely do have my favorite. I will say I've got a blog post on my website and called so someone told you to set up demark? Well, I'd cover this and you know, full disclosure, I used to work for 250OK, Validity, and I think there d i think there demark monitoring tool is quite good. It gives you a lot of robust information as far as where the traffic is coming from who owns the IP address that sending the traffic and, and things like that, which makes it a lot easier for you to reach out to whoever is whoever owns those IPs. But there are also lots of good demark monitoring tools, there's on demark their block apps as a demark monitoring tool, inbox monster has an official monitoring tool, there's plenty plenty, you know, I would definitely say shop around and find the demark monitoring tool that best suits your needs. But I'm a big fan of really granular information on the dmark front.

Andrew Bonar 26:46
Thank you so much LB. As always, as ever a great presentation from lb. Up next. We have a very old friend of mine personally and a very old friend to email in general Dennis Dayman. This session is sponsored by Alfred Knows a new email hygiene tool that actually has been in development for many years and been used by ESPs behind the scenes but is now publicly available. And that comes from email industries. So do check out Alfred Knows check out email industry is Dennis Dayman is a huge name and email his program