| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| public:emai:malware [2023-03-09 09:42] – [Monitoring and filtering agenda] vesely | public:emai:malware [2023-03-09 12:11] – vesely |
|---|
| |
| **The generously opened and heterogeneous nature of the academic and research institution is extremely vulnerable to such kind of threat.** Regular enterprises and other profit-making businesses are usually much more homogenous with much simpler rules and measures against the third parties (no IMAP, no access to emails from non-business devices, strict mobile device management, blocked or limited traffic etc.). | **The generously opened and heterogeneous nature of the academic and research institution is extremely vulnerable to such kind of threat.** Regular enterprises and other profit-making businesses are usually much more homogenous with much simpler rules and measures against the third parties (no IMAP, no access to emails from non-business devices, strict mobile device management, blocked or limited traffic etc.). |
| | <font inherit/inherit;;#f39c12;;inherit>**Both areas**</font> of |
| Both areas of malicious or potentially problematic emails and regular emails are overlapping; it is not easy to distinguish between them sometimes. | <font inherit/inherit;;#c0392b;;inherit>**malicious or potentially problematic emails**</font> and |
| | <font inherit/inherit;;#339933;;inherit>**regular emails**</font> ** <font inherit/inherit;;#f39c12;;inherit>are overlapping</font> **; it is not easy to distinguish between them sometimes. |
| |
| **The most dangerous threats are usually those of the "zero day attack" nature**; they usually take advantage of badly protected or misprotected email servers and domains so they can mimic the regular sender.\\ | **The most dangerous threats are usually those of the "zero day attack" nature**; they usually take advantage of badly protected or misprotected email servers and domains so they can mimic the regular sender.\\ |
| |
| * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__ provided by domain's owner and the domain owner asks for message blocking. | * [[:public:emai:malware#spf_hard_fail|SPF hard fail]] - sending server __is not on the allowed list__ provided by domain's owner and the domain owner asks for message blocking. |
| * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. | * [[:public:emai:malware#spf_soft_fail|SPF soft fail]] - |
| * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. | <font inherit/inherit;;#f39c12;;inherit>[Suspicious - SPF - soft fail]</font> - sending server is not listed among allowed ones, but the domain owner allow message passing with warning. |
| * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. | * [[:public:emai:malware#spf_bad_alignment|SPF bad alignment]] - |
| * [[:public:emai:malware#bad_dmarc|Bad ARC]] - <font inherit/inherit;;#f39c12;;inherit>[Suspicious - bad ARC]</font> - the sender's email has ARC Seal but it's validation did not succed (e.g. invalid calculated email hash). | <font inherit/inherit;;#f39c12;;inherit>[Covert sender]</font> - verify the authenticity of the domain sending the email by using two diffrenent header signatures in the message. |
| | * [[:public:emai:malware#bad_dmarc|Bad DMARC]] - |
| | <font inherit/inherit;;#f39c12;;inherit>[Bad DMARC]</font> - the sender's domain does not have DMARC record and SPF set properly. |
| | * [[:public:emai:malware#arc|Bad ARC]] - |
| | <font inherit/inherit;;#f39c12;;inherit>[Suspicious - bad ARC]</font> - the sender's email has ARC Seal but it's validation did not succed (e.g. invalid calculated email hash). |
| * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - | * [[:public:emai:malware#ip_reputation_database_-_dnsbl|DNSBL listed]] - |
| <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. | <font inherit/inherit;;#f39c12;;inherit>[IP reputation - DNSBL listed]</font> - the sender's IP is listed in SPAM database. |