Phishing continues to be a popular tactic for cybercriminals to infiltrate businesses in an effort to spread ransomware and steal sensitive data. And while the threat landscape continues to evolve, steps can be taken to help mitigate the threat of phishing attacks.
So with that in mind, today I’d like to focus on steps MDaemon administrators can take to prevent phishing emails from reaching their end-user mailboxes.
First, we recommend reviewing the following security settings:
- Preventing unauthorized relaying (delivering email that is neither to nor from a local address)
- Performing reverse lookups to help block emails with spoofed sender addresses
- Configuring trusted hosts & IPs (only add addresses that you trust to these lists)
- Configuring the IP Shield to ensure that email from local domains is sent from authorized IP addresses
- SMTP authentication settings
- DKIM, SPF & DMARC verification settings to protect against spoofing
- Sender blocklist settings
- Blocking connections from untrusted servers using IP screening & host screening
- Using SMTP screening to block connections that exhibit suspicious behavior
- Account hijack detection settings
- Spambot detection
- Location screening to block connections from unauthorized countries
- SSL & TLS for encrypted communications
- Dynamic screening to block password guessing attempts
- Recommend MDaemon AntiVirus settings
- Spam filter settings
The recommended settings for each of the above security features are discussed in this knowledge base article: https://knowledge.mdaemon.com/recommended-security-dynamic-screening-spam-filter-anti-virus-settings
Also, make sure that you have the security features "SPF", "DKIM", and "DMARC" set up for all of your own domains to make it harder for external senders to spoof your local users.
You can review the following knowledge base articles for more information:
- How to enable SFP Verification and create a simple SPF record
- How to enable DKIM signing and configure primary and additional domain records
- How to enable DMARC and configure DMARC records
Email standards allow for anything to be placed into the "From:" header, which is not used to deliver the email message to a recipient. Phishers and other bad actors may try to fool your end users by placing a local address there even though the message is from an external sender.
The following are several methods for identifying email messages from non-local senders, despite email addresses in the "From:" header appearing to be local:
Option 1)
To prevent what one could call "semi-spoofing" (the "MAIL FROM" command contains a non-local email address but the "From" header contains a local address), enable the MDaemon "IP Shield" feature and enable the feature "Check FROM header address against IP Shield.”
- Using MDaemon's IP Shield to prevent unauthorized SMTP sessions: https://knowledge.mdaemon.com/using-mdaemon-ip-shield
The IP Shield is used to associate a domain with IP addresses that are authorized to send mail on behalf of that domain.
More information can be found in the MDaemon "Help" file:
Security > Security Manager > Sender Authentication > IP Shield
The IP Shield, located under the Security » Security Settings » Sender Authentication menu, is a list of domain names and matching IP addresses that will be checked during the MAIL From command during the SMTP session. An SMTP session claiming to be from someone at one of the listed domains will be honored only if it is coming from one of the associated IP addresses. For example, suppose your domain name is example.com and your local LAN computers use IP addresses in the range from 192.168.0.0 to 192.168.0.255. With this information you can setup the IP Shield to associate the domain name example.com with the IP address range 192.168.0.* (wildcards are allowed). Thus anytime a computer connects to your SMTP server and states, "MAIL FROM <someone@example.com>", the SMTP session will continue only if the connecting computer has an IP address within the required range from 192.168.0.0 to 192.168.0.255.
Option 2)
You can also attempt to stop "semi-spoofing" email messages using MDaemon content filter rules. Navigate to the Security | Content Filter menu and create a content filter rule that uses the condition "If EXTERNAL SENDER" to compare the domain names of the email addresses in the "Return-Path", "Sender", and "From" headers to the recipient's domain name to determine whether the email is being sent from another local sender or from an external sender.
You can then enable the content filter action to display a block of text at the top of the message indicating that the message came from an external source and should be treated with extra caution.
You can edit the rule to modify the warning text as needed.
Option 3)
Another way to stop "semi-spoofing" is to create a content filter rule that uses the condition "If RETURN-PATH and FROM HEADER differ" to identify emails where the MAIL FROM command given during the inbound SMTP session contains one email address, but the "From" header inside the email itself contains a different email address.
Option 4)
Examine the multi-line email header "Authentication-Results:" to see what security checks were performed on the email message by your copy of MDaemon and whether or not the email in question passed those checks.
Following is the "Authentication-Results:" header from an email message from Google containing DMARC aggregate reports of emails sent to Gmail from my domain that failed DMARC verification by Gmail:
Authentication-Results: mail.example.com;
spf=pass smtp.mailfrom=noreply-dmarc-support@google.com;
dkim=pass (good signature) header.d=google.com header.b=aZqlFs0q4+;
dmarc=pass header.from=google.com (p=reject sampling=17 pct=100);
iprev=pass policy.iprev=209.85.214.73 (PTR mail-it0-f73.google.com);
iprev=pass policy.iprev=209.85.214.73 (HELO mail-it0-f73.google.com);
iprev=fail policy.iprev=209.85.214.73 reason="does not match" (MAIL noreply-dmarc-support@google.com)
From the above you can see the following:
- The email message passed the SPF verification performed by my copy of MDaemon
- The email message passed the DKIM verification performed by my copy of MDaemon
- The email message passed the DMARC verification performed by my copy of MDaemon
- The email message passed two of the three reverse lookups performed by my copy of MDaemon
In addition to examining the "Authentication-Results" header above to identify the sender of the email message, you can review the following email headers to check the identity of the sender and see if the email is a spam message:
- "X-Envelope-From" - This message header shows the email address used in the "MAIL FROM" command issued by the sender during the SMTP session. This email address might differ from the email address in the "From" header.
- "X-MDRemoteIP" - This email header contains the IP address of the server sending the email message to MDaemon.
- "Authentication-Results" - This multi-line header contains results from various authentication features (SPF verification, DKIM verification, DMARC verification, PTR lookups, etc.)
- "X-Spam-Processed" - This email header displays the host name of the server, the date/time the message passed through that server, and whether or not the mail message was scanned by the spam filter. This header will span multiple lines.
- "X-Spam-Status" - This email header displays whether the message was flagged by MDaemon's spam filter as spam, what the message’s total spam score is, and what your MDaemon server's spam filter threshold is.
- "X-Spam-Report" - This email header displays the SpamAssassin rules triggered by the email message. This header will span multiple lines.
- "Message-ID" - This email header is created by the email client that generated the message and contains a unique identifier which refers to the current version of this message. Because this email header is unique, the message-ID value can be used to track the message through MDaemon's logs.
End users also play a role against phishing attacks
While these steps are primarily for mail server administrators, it's also important to educate end users on how to identify a phishing email. For that, you can review these 10 tips to identify a phishing email.
The Bottom Line
The key takeaway is that preventing phishing emails from reaching your end users involves multiple email security tests to identify any suspicious connection patterns, and to verify the authenticity of the sender, the content of the email message, and the reputation of the sending server. Many of MDaemon's security settings are configured for optimal security by default, but administrators should be familiar with MDaemon's anti-spam and email security settings to ensure optimal protection against phishing threats.