On 28/06/2016 16:13, David Jones wrote:
David Jones wrote on 29/06/16 12:46 AM:
No, technology can help. The IT department sets up the mail client
that the CEO uses when out of the office so that it sends mail using
the company mail server with SSL/TLS and user authentication. Or it
uses the company's ISP's mail server. Or send domain mail using GMail
for business. There are a number of choices that are as easy for the
CEO to use as any personal email method is, but will restrict email
sent from the company domain to being sent through one of a known set
of mail servers. Then the company's receiving mail server blocks any
mail that pretends to be from a company domain sender address that
was not sent through one of the known valid mail servers. That can be
a local SpamAssassin rule or something run even earlier in the
process.
You are right that social engineering can't be stopped by technology.
The company should have procedures in place that provide the
flexibility that CEO seems to need but will still prevent the fraud
even in the face of successful social engineering. But there is no
reason the mail setup has to allow spoofed headers From the company
domain.
Am I missing something here:
An email comes in from the CEO of the business - seemingly from the
company, and has a Spam score of 7.5
Content analysis details: (7.5 points, 5.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 TVD_RCVD_SPACE_BRACKET No description available.
0.1 HK_RANDOM_FROM From username looks random
-0.1 CUST_DNSWL_5_ORG_NT RBL: list.dnswl.org (No Trust)
[173.201.193.64 listed in list.dnswl.org]
-0.1 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[173.201.193.64 listed in wl.mailspike.net]
0.0 HTML_MESSAGE BODY: HTML included in message
1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76
chars
-0.1 CUST_DNSWL_2_SENDERSC_LOW RBL: score.senderscore.com (Low Trust)
[173.201.193.64 listed in
score.senderscore.com]
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
3.0 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
1.5 FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
________________________________
Content analysis details: (13.9 points, 5.5 required)
How many INTERNAL EMAILS will have a score of 7.5??? Or even 3? Or 1?
In fact, if it came in through the INTERNAL_NETWORK ip range then it
wouldnt even be scanned (seen as trusted). So any email coming "from
the CEO" that has a SPAM score is definitely dodgy!
How hard can it be to say "if FROM = 'a company address' and a SPAM
SCORE EXISTS then treat with rubber gloves.
So ensure all company emails are pupt through the company email servers
and set the INTERNAL_NETWORK parameters.
Whats wrong with this?
