" dkim Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘dkim’

Save Yourself From “Yourself”: Stop Spam From Your Own Address

Friday, September 22nd, 2017

I just got junk email … from me!

It is surprisingly common for users to receive Spam email messages that appear to come from their own address (i.e. “joe@domain.com” gets a Spam email addressed so it appears to be from “joe@domain.com”).  We discussed this issue tangentially in a previous posting: Bounce Back & BackScatter Spam – “Who Stole My Email Address”?  However, many users wonder how this is even possible, while others are concerned if their Spam filters are not catching these messages.

Spam from your own email address

How can Spammers use your email address to send Spam?

The way that email works at a fundamental level, there is very little validation performed on the apparent identity of the “Sender” of an email.  Just as you could mail a letter at the post office and write any return address on it, a Spammer can compose and send an email address with any “From” email address and name.  This is in fact extremely easy to do, and Spammers use this facility with almost every message that they send.

Read the rest of this post »

ARC and SMTP MTA-STS: The State of Domain-based Email Authentication – Part 3

Tuesday, September 19th, 2017

We’ll close (for now) our three part series on the state of domain-based authentication for emails by completing the story on technologies being deployed or defined to improve the security of the email ecosystem. In Part 1, we wrote about using Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate the sending mail server. Part 2 described how Domain-based Message Authentication, Reporting and Conformance (DMARC) is used to provide clear guidelines for the treatment of mail that fail SPF and/or DKIM authentication.

Authenticated Received Chain

In this post, we’ll touch on two topics that are mature works in progress in the IETF, the technical standardization organization that has brought us so much of the protocols that govern the internet. The first technology is Authenticated Received Chain (ARC), defined to handle the shortcomings of SPF and DKIM when used with mail forwarders or mailing lists. The second technology is about correcting the lack of security between Message Transfer Agents (MTA), and a solution to enforce strict transport layer security for SMTP message transfer between MTAs.

It’s worth reiterating again that all these technologies are building blocks, and only when used and deployed collectively by the entire ecosystem can we hope to create the barriers needed to thwart fake emails and mail surveillance by malicious actors.

Read the rest of this post »

DMARC: The State of Domain-based Email Authentication – Part 2

Monday, September 11th, 2017

Building a safer email ecosystem with DMARC

In our previous post, we described two techniques for authenticating an email sender:

  • Sender Policy Framework (SPF), IETF RFC 7208, which verifies if the sending MTA is indeed authorized to send mail on behalf of a domain; and
  • DomainKeys Identified Mail (DKIM), IETF RFC 6376, where a domain shows “ownership” of a mail it sends by signing portions of it so that critical aspects cannot be forged by intermediaries.

Like most technologies, these are just individual weapons in the arsenal for fighting phishing and spam. Weapons, like all tools, need to be properly used if they are to be effective. Unfortunately, as we described in the earlier post, both SPF and DKIM are deployed in a manner that reduces their usefulness. With SPF, the validation policy set by the sender is often chosen in a manner that leaves handling authentication failures at the discretion of the recipient. DKIM, on the other hand, does not even have an explicit policy directive set by the sender. Moreover, in a heterogeneous mail environment, some perfectly legitimate MTAs might not be capable of signing messages.

Building a safer email system with DMARC

Thus, receivers in actual deployments tend to “soft fail” any SPF and/or DKIM validation failures as there are reasonable situations when legitimate mail can fail such checks. A common example is forwarded mail (which fails SPF), or mail sent via a mailing list (which fails DKIM). Mail providers consider it better to deliver most mail (even if some are fake or spammy) rather than risk dropping legitimate mail. Thus, neither of these techniques individually or combined provide clear guidance to receivers, and the resulting actions can be inconsistent.

Read the rest of this post »

Self-Addressed Spoofed Email: How to Shut Down Spam

Thursday, May 11th, 2017

Spam messages coming from… your own email? This may sound like a cheesy movie plot, but this form of spam, known as “spoofing,” can have horrifying consequences if they result in compromised security, stolen data, or malware on your company’s machines. Read on to find out how to snuff out spoofing and help everyone avoid these attacks in the future.

Forged Email

Read the rest of this post »

Infographic: Steps to Avoiding Forged Email

Friday, February 12th, 2016


Forged emails are extremely common. Most of the time forged emails are merely a nuisance.However, if you accidentally share information with or click on a link from someone who sent a forged email, the results can devastate your goal or even your site, or if it’s really evil, an entire computer. Here’s some information about how to recognize and stop forged emails.

How to Avoid Forged Email: Forged Email Facts & SPF Significance

Avoiding Forged Email. Significance of SPF

Read the rest of this post »

Email Identity Protection and LuxSci Email Hosting

Monday, March 9th, 2015

We have just completed a long series of articles discussing how attackers forge email messages and what technologies and techniques can be used to counter these attacks.  See: Email Identity and Forged Email.

In this post, we will discuss some best practices when using LuxSci to maximize your protection against forged email messages.

Read the rest of this post »

Stopping Forged Email 3: DMARC to the Rescue

Monday, March 2nd, 2015

We have recently looked at how hackers and spammers can send forged email and then seen how these forged messages can be almost identical to legitimate messages from the purported senders.  In fact, we learned that generally all you can trust in an inbound email message is the internet IP address of the server talking to your inbound email server — as this cannot realistically be forged in any way that would still enable you to receive the message.

In our previous two posts in this series, we examined how SPF and DKIM can be used to help limit forged email messages based on validating if a message was sent by an approved server by looking at the IP address delivering the email message to you and based on digitally signing messages.  We found that while SPF and DKIM can work, they has many significant limitations that cause them to fall or be insufficient to stop forgeries in many cases.

However, SPF and DKIM address the forgery problem in very different and, in many respects, very complementary ways. For this reason, many organizations use both technologies.

If you are using both technologies and you have a good amount of control over where your domain’s messages are coming from, then you can step up your game by using DMARC — Domain-based Message Authentication, Reporting and Conformance. 

Read the rest of this post »

Stopping Forged Email 2: DKIM to the Rescue

Monday, February 23rd, 2015

We have recently looked at how hackers and spammers can send forged email and then seen how these forged messages can be almost identical to legitimate messages from the purported senders.  In fact, we learned that generally all you can trust in an inbound email message is the internet IP address of the server talking to your inbound email server — as this cannot realistically be forged in any way that would still enable you to receive the message.

In our last post in this series, we examined how SPF can be used to help weed out forged email messages based on validating if a message was sent by an approved server by looking at the IP address delivering the email message to you.  We found that while SPF can work, it has many significant limitations that cause it to fall far short of being a panacea.

So — besides looking at the sending server IP address — what else can we do to determine of a message was forged?

It turns out that there is another way — through the use of encryption techniques and digital signatures — to have the sender’s servers transparently “sign” a message in a way that you can verify upon receipt.  This is called DKIM.

DKIM – Domain Keys Identified Mail: A Simple Explanation

DKIM stands for “Domain Keys Identified Mail” … or, re-writing this more verbosely, “Domain-wide validation Mail Identity through use of cryptographic Keys”.  To understand DKIM, we need to back up for a second and look at what we mean by “cryptographic keys” and how that can be used.

Read the rest of this post »

8 Ways to Protect yourself from Forged/Fake Email

Monday, January 26th, 2015

The Internet is rife with fake and forged email.  Typically these are email messages that appear to be from a friend, relative, business acquaintance, or vendor that ask you to do something.  If you trust that the message is really from this person, you are much more likely to take whatever action is requested — often to your detriment.

These are forms of social engineering — the “bad guys” trying to establish a trusted context so that you will give them information or perform actions that you otherwise would not or should not do.

Here we address some of the actions you can take to protect yourself from these attacks as best as possible.  We’ll present these in the order of increasing complexity / technical difficulty.

Read the rest of this post »

Why protecting and validating email identity is a top priority for a secure 2015

Wednesday, January 21st, 2015

The scope and frequency of cyber attacks, data breaches, information disclosures, and the sophistication of the tools used to attack companies and individuals has been increasing at a tremendous rate.

It doesn’t strain our memories to come up with numerous prime examples including the deliberate corporate penetration of Sony (which was “easy”) and of Sands Casino (presumably very hard); or the exposure of super-powerful nation state sponsored attack software Regin that helps enable penetration of specific, complex targets.   Don’t forget as well, the numerous phishing attacks that were propagated in 2014.  And, perhaps just as infamous, the social engineering attacks in which malicious individuals tricked Apple and GoDaddy into revealing sensitive information.

All of these are different attack vectors, with different ultimate purposes, targeting individuals or corporations.  All were successful.  And the actual, complete list would be too large to publish (and would be impossible to know as more than half of data breaches go unnoticed).

Read the rest of this post »