>From: RW <rwmailli...@googlemail.com> >Sent: Tuesday, June 28, 2016 8:50 AM >To: users@spamassassin.apache.org >Subject: Re: Catching well directed spear phishing messages >On Wed, 29 Jun 2016 01:30:55 +1200 >Sidney Markowitz wrote:
>> David Jones wrote on 29/06/16 12:46 AM: >> > This is pure social engineering that can't be stopped by >> > technology. The AP dept has to have proper safeguards and out of >> > band validation (i.e. phone call to the "Recognized Name"). >> >> No, technology can help. The IT department sets up the mail client >> that the CEO uses when out of the office so that it sends mail using >> the company mail server with SSL/TLS and user authentication. Or it >> uses the company's ISP's mail server. Or send domain mail using GMail >> for business. There are a number of choices that are as easy for the >> CEO to use as any personal email method is, but will restrict email >> sent from the company domain to being sent through one of a known set >> of mail servers. Then the company's receiving mail server blocks any >> mail that pretends to be from a company domain sender address that >> was not sent through one of the known valid mail servers. That can be >> a local SpamAssassin rule or something run even earlier in the >> process. >> >> You are right that social engineering can't be stopped by technology. >> The company should have procedures in place that provide the >> flexibility that CEO seems to need but will still prevent the fraud >> even in the face of successful social engineering. But there is no >> reason the mail setup has to allow spoofed headers From the company >> domain. >That wont work in this example because nothing has actually been >spoofed. Exactly. If I search the Internet for the CEO/CIO/CTO/etc of a company and send and email from my domain but make the displayed name in the visible From: be that CEO/CIO/CTO/etc's full name that the recipient is used to seeing in the mail client, then I have spoofed nothing detectable in advance by SA or any mail filter technology. The sender could be anyone and as long as that sending domain is not on any DBLs and the sending IP is not on any RBLs (yet), then the email would pass through. Envelope-from = ena.com Header From: = ena.com Visible/Displayed From: = "Recognized Name <recognized.n...@ena.com>" That email would pass SPF and strict DMARC (p=reject) checking. If the recipient just looked at "Recognized Name" and ignored the "ena.com", then they wire the money and don't think twice about it until they follow up with the C-level person later which wouldn't know anything about it. All it takes is a compromised account on a trusted mail server (happens all of the time) to provide a conduit for this type of phishing email. Very easy to do which is why we are going to see more and more of this.
