Groach kirjoitti 28.6.2016 17:24: > On 28/06/2016 16:13, David Jones wrote: > > David Jones wrote on 29/06/16 12:46 AM: > > No, technology can help. The IT department sets up the mail client > that the CEO uses when out of the office so that it sends mail using > the company mail server with SSL/TLS and user authentication. Or it > uses the company's ISP's mail server. Or send domain mail using GMail > for business. There are a number of choices that are as easy for the > CEO to use as any personal email method is, but will restrict email > sent from the company domain to being sent through one of a known set > of mail servers. Then the company's receiving mail server blocks any > mail that pretends to be from a company domain sender address that > was not sent through one of the known valid mail servers. That can be > a local SpamAssassin rule or something run even earlier in the > process. > > You are right that social engineering can't be stopped by technology. > The company should have procedures in place that provide the > flexibility that CEO seems to need but will still prevent the fraud > even in the face of successful social engineering. But there is no > reason the mail setup has to allow spoofed headers From the company > domain.
Am I missing something here:
An email comes in from the CEO of the business - seemingly from the
company, and has a Spam score of 7.5
Content analysis details: (7.5 points, 5.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 TVD_RCVD_SPACE_BRACKET No description available.
0.1 HK_RANDOM_FROM From username looks random
-0.1 CUST_DNSWL_5_ORG_NT RBL: list.dnswl.org (No Trust)
[173.201.193.64 listed in list.dnswl.org]
-0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[173.201.193.64 listed in wl.mailspike.net]
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76
chars
-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust)
[173.201.193.64 listed in
score.senderscore.com]
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal
information
1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
________________________________
Content analysis details: (13.9 points, 5.5 required)
How many INTERNAL EMAILS will have a score of 7.5??? Or even 3? Or 1?
In fact, if it came in through the INTERNAL_NETWORK ip range then it
wouldnt even be scanned (seen as trusted). So any email coming "from
the CEO" that has a SPAM score is definitely dodgy!
How hard can it be to say "if FROM = 'a company address' and a SPAM
SCORE EXISTS then treat with rubber gloves.
> So ensure all company emails are pupt through the company email servers and
> set the INTERNAL_NETWORK parameters.
>
> Whats wrong with this?
Sure, but the case now is that the FROM != 'company adress' as this info
is not even show to the user. What is shown is the CEO Name only. I
could't even find a setting for this behaviour in my MUA!
The FROM address can be anything, as long as the CEO's real name is
there before the address part.
--
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
signature.asc
Description: OpenPGP digital signature
