| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| public:emai:malware [2021-09-29 12:54] – [Monitoring and filtering agenda] vesely | public:emai:malware [2021-10-21 13:29] – vesely |
|---|
| ====== Dealing with malware, spam, suspicious content ====== | ====== Dealing with malware, spam, suspicious content ====== |
| |
| [[:public:emai:malware#monitoring_and_filtering_agenda|Skip right to mail filtering agenda paragraph]] | <faicon fa fa-hand-o-right> [[:public:emai:malware#monitoring_and_filtering_agenda|Skip right to mail filtering agenda paragraph]] |
| |
| ---- | ---- |
| * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. | * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. |
| * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. | * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. |
| * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - | * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. |
| | * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. |
| * [[:public:emai:malware#suspicious_newsletter|Suspicious Newsletter]] - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - it may be found that certain newsletters are suspicious because they may actually be spam under the disguise of newsletters. | * [[:public:emai:malware#suspicious_newsletter|Suspicious Newsletter]] - <font inherit/inherit;;#f39c12;;inherit>[Newsletter]</font> - it may be found that certain newsletters are suspicious because they may actually be spam under the disguise of newsletters. |
| * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. | * [[:public:emai:malware#ip_reputation|Bad IP reputation]] - <font inherit/inherit;;#f39c12;;inherit>[IP reputaton]</font> - emails from IP addresses with bad reputation may be discarded or quarantined. It may be dangerous to receive emails from such IPs. |
| * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. | * [[:public:emai:malware#deepheader_analysis|Deepheader analysis]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - header analysis]</font> - Deepheader analysis examines the entire message header for spam characteristics. |
| |
| ===== SPF (Sender Policy Framework) ===== | ===== Possible Spoof ===== |
| | |
| | //Added subject tag: **[IPt:Possible Spoof]** // |
| | |
| | see https://en.wikipedia.org/wiki/Email_spoofing |
| | |
| | Email spoofing is the creation of email messages with a forged sender address. |
| | |
| | ===== SPF ===== |
| | |
| | **SPF - Sender Policy Framework** |
| |
| //see [[https://blog.zensoftware.co.uk/2014/09/02/what-are-spf-sender-policy-framework-records-all-about/|https://blog.zensoftware.co.uk/2014/09/02/what-are-spf-sender-policy-framework-records-all-about/]]// | //see [[https://blog.zensoftware.co.uk/2014/09/02/what-are-spf-sender-policy-framework-records-all-about/|https://blog.zensoftware.co.uk/2014/09/02/what-are-spf-sender-policy-framework-records-all-about/]]// |
| ===== DMARC ===== | ===== DMARC ===== |
| |
| https://www.dmarcanalyzer.com/dmarc/dmarc-record/ | [[https://www.dmarcanalyzer.com/dmarc/dmarc-record/|https://www.dmarcanalyzer.com/dmarc/dmarc-record/]] |
| |
| A DMARC record is the core of a DMARC implementation in which the DMARC record rulesets are defined. This DMARC record informs email receivers if a domain is set up for DMARC. If so, the DMARC record contains the policy which the domain owner wants to use. In essence, a DMARC record a DNS (Domain Name Service) entry. One can start using DMARC by implementing a DMARC DNS record. This DMARC record will be used by email receivers which have adopted DMARC. This will result in keeping track of all the messages which have been sent to your domain taking your DMARC policy into account. | A DMARC record is the core of a DMARC implementation in which the DMARC record rulesets are defined. This DMARC record informs email receivers if a domain is set up for DMARC. If so, the DMARC record contains the policy which the domain owner wants to use. In essence, a DMARC record a DNS (Domain Name Service) entry. One can start using DMARC by implementing a DMARC DNS record. This DMARC record will be used by email receivers which have adopted DMARC. This will result in keeping track of all the messages which have been sent to your domain taking your DMARC policy into account. |
| ==== Bad DMARC ==== | ==== Bad DMARC ==== |
| |
| In case DMARC record exists but there is problem in the setup, it is signalled by the appendage of [Bad DMARC] in the email subject. | In case DMARC record of the sender's domain exists but there is a problem in the DMARC setup, it is signalled by the appendage of [Bad DMARC] in the email subject. |
| |
| In case you get an email with such warning, it may be a good idea to inform the sender about the issue. | In case you get an email with such warning, it may be a good idea to inform the sender about the issue. |
| |
| To check DMARC setup for any domain go to [[https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/|https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/]] | To check DMARC setup for any domain go to [[https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/|https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/]] |
| | |
| | ===== Reputation databases - Blacklists ===== |
| | |
| | ==== IP reputation ==== |
| | |
| | //Added subject tag: **[IP reputation] ** // |
| | |
| | //More problematic IPs are also taged with **[!]** or **[!!]** // |
| | |
| | **Bad IP reputation** - emails from IP addresses with bad reputation may be discarded or quarantined. It is usually dangerous to receive emails from such IPs. |
| | |
| | IP reputation may be checked here: [[https://www.ipqualityscore.com/ip-reputation-check/lookup/|https://www.ipqualityscore.com/ip-reputation-check/lookup/]] |
| | |
| | It is responsibility of the sender to have 'clean' IP address. |
| | |
| | In case there is involved dynamically assigned address from a service provider (like Vodafone, T-mobile, O2, UPC …) the sender's IP address may be somehow compromised just because it was mis-used by a previous user. This is up to IP address user to ask the respective service provider for removal from the bad reputation lists. |
| | |
| | ==== IP reputation database - DNSBL ==== |
| | |
| | //Added subject tag: **[IP reputation - DNSBL listed]** // |
| | |
| | see: [[https://www.dnsbl.info/|https://www.dnsbl.info/]] |
| | |
| | Domain Name System Blacklists, also known as DNSBL's or DNS Blacklists, are spam blocking lists that allow a website administrator to block messages from specific systems that have a history of sending spam. |
| | |
| | DNSBL Information provides a single place where you anyone check that blacklist status of the mail server's IP address on more than 100 DNS based blacklists. |
| | |
| | ==== IP reputation database - SURBL ==== |
| | |
| | //Added subject tag: **[IP reputation - SURBL listed]** // |
| | |
| | see: [[http://www.surbl.org/|http://www.surbl.org/]] |
| | |
| | SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders |
| | |
| | ==== ==== |
| |
| ===== Newsletter ===== | ===== Newsletter ===== |
| **Suspicious links (phishing, spam, malware) are redirected to Click Protection.** URL is rewritten to ''[[https://gw.cerge-ei.cz/xxxxxxxxx|https://gw.cerge-ei.cz/xxxxxxxxx]]..'' (where gw.cerge-ei.cz is the address of our email security gateway) and in case the user clicks on the URL, the link is evaluated by FortiGuard and appropriate action is taken according to risk level (link is blocked or allowed) | **Suspicious links (phishing, spam, malware) are redirected to Click Protection.** URL is rewritten to ''[[https://gw.cerge-ei.cz/xxxxxxxxx|https://gw.cerge-ei.cz/xxxxxxxxx]]..'' (where gw.cerge-ei.cz is the address of our email security gateway) and in case the user clicks on the URL, the link is evaluated by FortiGuard and appropriate action is taken according to risk level (link is blocked or allowed) |
| |
| ===== IP reputation ===== | ===== ===== |
| | |
| //Added subject tag: **[IP reputation] ** // | |
| | |
| //More problematic IPs are also taged with **[!]** or **[!!]** // | |
| | |
| **Bad IP reputation** - emails from IP addresses with bad reputation may be discarded or quarantined. It is usually dangerous to receive emails from such IPs. | |
| | |
| IP reputation may be checked here: [[https://www.ipqualityscore.com/ip-reputation-check/lookup/|https://www.ipqualityscore.com/ip-reputation-check/lookup/]] | |
| | |
| It is responsibility of the sender to have 'clean' IP address. | |
| | |
| In case there is involved dynamically assigned address from a service provider (like Vodafone, T-mobile, O2, UPC …) the sender's IP address may be somehow compromised just because it was mis-used by a previous user. This is up to IP address user to ask the respective service provider for removal from the bad reputation lists. | |
| |
| ===== Image Spam ===== | ===== Image Spam ===== |