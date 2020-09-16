Geekzone: technology news, blogs, forums
Email spoofing | Confirm my thoughts please
#275910 16-Sep-2020 14:16
A local business was reportedly "hacked" two weeks ago. The details are sketchy because after talking to them they don't really understand how their email works, they don't really know what happened, what was involved or what was lost. Their IT guy has said there is nothing they can do about it, so they aren't doing anything.

 

I first heard about it last week when another local business came to me saying they had people calling them to say they had received email which their anti-virus had blocked.

 

I took a look at some examples and it was the usual case of the name was changed to their business name (although with a typo most people wont notice) and the reply address was something like <abc@huoyfhsue.df>. Even where they have changed the email address to be blah@domain.com the headers still show random domains.

 

The phone calls eventually stopped but there have been five today so obviously it's started again.

 

They have valid SPF and DKIM records and their website and email are all looking ok. One employee admitted to opening the attachment because they thought it had come from someone they knew, but all their desktops, laptops and mobiles are also clean. 

 

The attachment appears to be an empty .docx file. It's only 172KB, so I put it on an old laptop and it scanned ok with ESET and malwarebytes and opens a blank Word doc.

 

So I'm assuming this is just a case of spammers spoofing their details (however badly) and there is little to nothing we can do about it ?

 

 

SPF should be set to hard fail to reject email that hasn't come from authorised email servers.

  #2566011 16-Sep-2020 14:48
Will be fallout from the lovely Emotet malware most likely, getting calls regarding similar issues all the time. One client was getting hammered by emails, then they dropped off, but have started again. 

 

 




  #2566012 16-Sep-2020 14:49
I've always understood a hard fail would mess with any forwarding of genuine emails. It was a while ago so my memory may not be correct.

 

I've just noticed they have no DMARC set up. I see lots of conflicting advice with DMARC so never know whether it's necessary or not.

  #2566014 16-Sep-2020 14:55
SPF may help, assuming receiving servers actually checks this. As SPF applies to the envelope address, malware can get around this by randomly selecting an envelope address using a domain with no or more relaxed SPF policies.

 

The domain should also have a DMARC policy to instruct mail servers on how to handle failed SPF and DKIM checks. Again, it won't stop everything as it relies on the recipient checking and enforcing these policies.

