Detecting emails spoofing your domain using Outlook Rules…

The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).

What would help is a way for the average user to see the difference between an externally sent email from your internal domain(s) and an internally sent email from your internal domain(s) BEFORE opening it. I’ve thought of a way to do this with Outlook Client rules and would like to share that here. So if your organization, especially small businesses and SOHOs are struggling with this, give it a shot and let me know how it goes. (The screenshot’s below are from Outlook 2007)

The rule will essentially look for messages with your internal domain(s) in the message from, then look for a special line that your SMTP gateways put in the Received Headers, then if found the rule performs some action. Because if your internet facing mail servers relayed the message it had to come from outside your organization, and hence somebody musta spoofed ya’. I will explain below.

A barebones rule, just to get the idea, will look like this… (just replace @example.com with your own work’s email domain)

Here’s what it does if not obvious…

  1. Search for @example.com in the sender’s FROM address (not MAIL FROM:)
  2. And then look for Received: from mail1.example.com in the message headers
    (you can add other servers separated by an OR, yes the colon and spacing are important!)
  3. Assign the message to the “Spoofed” category.  (I made this up, you could also delete, or move the message to a separate folder, marking the subject unfortunately does not appear to be an option with client rules)

If you don’t know what “mailserver1.example.com” is at your workplace, the best thing is to ask your IT mail admin, if that’s you and you are still clueless (we’ve all been there) you can USUALLY get that information from the DNS MX records your company publishes on the internet.   The site http://mxtoolbox.com will allow you resolve those records.  Just enter your email domain where I have scottfromsecurity.com in screenshot below.  The info under the column “hostname” will be what you want to put in your rule, there will most likely be more than one.

If you want to categorize the suspiciously spoofed message like I did (because deleting or moving it can cause its own problems with lost mail and helpdesk calls) you’ll just need to create an Outlook Category, and choose a color (Red for example).  In Outlook main window click Actions…Categorize…All Categories…New…Add text that you want the user to see when they open the email.

This will allow the message to be categorized and will show a colored bar when opened.  To make it obvious to the user BEFORE the message is opened you’ll have to have them modify their current view.  The view will then color messages that are categorized with your new “Spoofed” category.  In Main Outlook and with your Inbox selected window go to View…Current View…Customize Current View…then click Automatic Formatting… Add,  name the auto formatting rule and set font to desired color, by clicking Font button, as shown.  Then click Condition button…More Choices Tab..Categories…and check off the “Spoofed. Please be CAUTIOUS of Web LINKS contained in this email.” category.

Death by Screenshot continues with some pics on the end result of the above configuration.

And here is the opened message showing the red bar with your category message at the top, in case the user does open it. Hopefully discouraging them from clicking any links the email may contain before checking with IT.

For the IT professionals here’s more along the lines of what the a fully functional rule would look like with more than one internet facing MTA, gives it low importance, and has some notable email address exceptions (ie. the good spoofing).

Caveats:

  1. This probably won’t work if your external mail relays are also your internal mail relays, ie you don’t have MS Exchange or something to handle internally sent mail separately.  All mail will be shown as spoofed, unless you use separate interfaces and DNS names.
  2. Far as I know GPO’s can not be used to push out Outlook client rules/configuration; you could potentially export the rule to a .rwz file and have users import it themselves. Tools…Rules and Alerts…Options(upper right)…Export or Import Rules button…navigate to .rwz file.   So deploying the config probably won’t be possible to do automatically, screen shots and a company wide email will most likely be required for the .rwz file import, category and view creation as well.
  3. Also this is a Client only rule. As Outlook warns about when you go to save it.   That simply means if your Outlook client isn’t running the rule won’t take effect.  So on Monday you will need to launch Outlook and let it process your new email to see if it matches the rule.
  4. It will be a window’s user profile specific setup, so might be something to add to the workstation build process or when desktop support delivers the box to the new user, after they log in for the first time.

I’m still in the planning stages of rolling this out at my current contracting position, so as I learn the positive and negatives around this approach I’ll be sure to update this post.

I was also toying with the idea, of using different actions such as “run a script” and “custom action” but they would further complicate what’s now is pretty simple. Also my current security monitoring analyst job does not get heavily into administration so can I  leave that up to the Exchange admins out there?  If anyone thinks up a better way to do this or anything cool (like marking the subject, so the category and view setup wouldn’t be needed) using a VB script or custom action with a .dll, feel free to leave a comment and share it with the 5 other people who read this blog.

___________________________________________________________________________
PS:  Lastly if all of the above is not appealing another blogger had a simpler approach involving tagging everyone’s email signature with some consistent text string and then writing a rule to filter on that.  This technique would identify the good (whitelist), where as mine identifies the bad(blacklist), why not try both and see which one works best for you? It also just occurred to me, with his approach, you might even want to make that text string white so it’s not overly obvious when the recipient sees it.  Read about it here… http://www.countryipblocks.net/training/the-cheap-way-to-keep-spoofed-email-out-of-your-inbox/

Good luck in your SPAM fight.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s