Jeez! Another SPAM Email
In today’s cyber world we are heavily dependent on emails for our official communications. There are times when we need to use our official domains to log into organization’s partners portals or sometimes we need to subscribe to a security news feed and sometimes we are required to use out email for newsletters and for marketing stuff via our official email address. The intentions of doing so are not wrong but in fact organizations we are doing this on purpose.
On the other hand attackers, spammers, hackers are desperately looking for such information. They are actively targeting banks, corporate sector, military, healthcare. You name it and they have already been targeted. The public information is being misused by adversaries into sending SPAM emails, Phishing emails, Spear-Phishing, Malware, Credential Harvesting etc. There have always been a concern onto how can we be secure from such attacks. The answer is pretty simple and that is, “You need to be more vigilant”. Security companies are building tools to control email spams though a lot of spam still reaches our inbox.
If we take a look on CISCO Talos — Daily Email Statistics we can find that out of 179 billion emails 151 billion emails are marked as SPAM emails.
The number is very huge and due to this reason organizations are implementing strict security onto their Email Gateways and are even purchasing and implementing SPAM protection software’s/hardware’s but still there are emails which get through them.
The first and the foremost technique is to check the domain reputation on available website and to block the domain on the perimeters for inbound as well as for outbound connections. There are different websites available today but the one’s I have been using everyday are provided as below.
- Virustotal — https://www.virustotal.com/gui/home/url
- URL Void — https://www.urlvoid.com/
- Talos Intelligence — https://talosintelligence.com/reputation_center
- AbusedIPDB — https://www.abuseipdb.com/
- Barracuda Lookup — https://www.barracudacentral.org/lookups/lookup-reputation
This technique is very hectic, SOC team or IT guy responsible for blocking the domain will have to first manually check the domain reputation and then will need to get it blocked on ESG or Email Gateways.
The second method is to subscribe to RBLs (Real-Time Blackhole Listings) and DNSRBLs (DNS based Real-Time Blackhole Listing). A huge number of organizations are maintaining these lists which include domains, IP addresses which have been reported for spamming emails. Most of the tools available today like Barracuda Email Security Gateway allow us to add these lists as an addition to perform lookups in order to make sure that the email trying to reach inbox is safe, secure and is not being marked as malicious or spam. But, which listing should be used? The answer is pretty simple. We can use the below tool to check SPAM domain/IP against a wide list of RBLs and DNSRBLs.
Let’s throw a spam domain “nimak.cam” which has been used for sending spam emails and check in which particular RBLs/DNSRBLs this particular domain is listed.
We can clearly see that the domain was tested against 55 lists and found it to be listed in 7 lists.
Based on the results, we now have the insights that the domain is indeed malicious and is being misused. Thus, we can proceed onto blocking this domain.
There will be a time when you will not find a domain in the RBLs and for that you will have to follow the first approach. Although after a while, using this particular tool to run tests, you will note that few of the RBLs are delivering good results which can then be noted down and can be added in your organizational tools.
For example,
In Barracuda Email Security Gateway go to BLOCK/ACCEPT and then IP Reputation.
Scrolling down you will be able to find an option to add Custom External RBLs and the action to be taken if the domain/email is blacklisted.
Barracuda ESG stores all the blocked emails and those can be checked later for finding anomalies.
Recommended RBLs are as below.
- https://www.spamhaus.org/
- https://www.spamcop.net/
- https://psbl.org/
- https://www.lashback.com/
- https://www.barracudacentral.org/
- https://www.invaluement.com/
These will block most of the SPAM but also legitimate email can also be blocked. So, you might need to play around with these RBLs and choose the one which best fits you!
