spamstop app
Email is the main channel for cyber attacks.
Sender address spoofing can be detected by email authentication information.
RealSender’s “spamstop” app shows the results of authenticity checks
directly in the subject of received messages.
This also allows you to continuously check
the correct email settings of your company, customers and partners.
It is an efficient anti-spam solution when combined with a filter
that splits messages according to senders that are NOT in your address book.
Topics in this area:
spf-based email sender check
dkim-based sender and email seal check
at least one of the domains must align with the sending From domain
two SPAM tags added to the subject to highlight fraud
to receive in your inbox only the senders you have previously authorized
to receive email messages only from the senders that you have previously authorized
to protect your email boxes from unwanted senders and dangerous attachments
Subsections of spamstop app
1 - spf check
We want to make sure that the sender address has not been forged/spoofed*.
* = make the message appear from someone other than the actual source
SPF authentication helps us identifying if the message has been sent through an authorized smtp server.
This information is stored in the domain’s dns, that is a safe place, outside the email message.
Only if the message has NOT been authenticated correctly:
the !! (attention) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header, line “X-RealSender”:
:: spf-none :: the sender domain contains no information to authenticate the email
:: spf-softfail :: the smtp server is not listed among the authorized ones but this case should be treated as a "softfail"
:: spf-fail :: the smtp server is not listed among the authorized ones and the email should be rejected or discarded
Sometimes the information recorded at domain level is not correct/understandable.
:: spf-permerror :: a permanent error has occured (eg. badly formatted SPF record)
SPF check is made against the “Mail From” email address, that is hidden in the email headers.
Only the “From” email address is visible. If their root domains are different, this warning is displayed:
:: spf-diff :: the "Mail From" and the "From" root domains are different
Tell me more
2 - dkim check
DKIM (DomainKeys Identified Mail) allows senders to prove that the email was actually sent by them and has not been modified after being sent.
It achieves this by affixing a digital signature (seal), linked to a domain name, to each outgoing email message.
Only if the message has NOT been signed correctly:
the !! (attention) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header, line “X-RealSender”:
:: dkim-none :: no DKIM-Signature headers (valid or invalid) were found
:: dkim-fail :: a valid DKIM-Signature header was found, but the signature does not contain a correct value for the message
Sometimes it’s not possible to execute the check:
:: dkim-invalid :: there is a problem in the signature itself or the public key record. I.e. the signature could not be processed
:: dkim-temperror :: some error was found which is likely transient in nature, such as a temporary inability to retrieve a public key
When the message has been signed using a different domain, a “diff” notice is added:
This warning will NOT appear if the sender passes the SPF check:
:: dkim-diff :: the message has NOT been signed by the sender's domain
Tell me more
3 - dmarc alignment
DMARC (Domain-based Message Authentication, Reporting and Conformance),
is an email authentication standard, developed to combat spoofed domain mail.
In the chapter “3.1. Identifier Alignment” it says:
Email authentication technologies authenticate various (and
disparate) aspects of an individual message. For example, [DKIM]
authenticates the domain that affixed a signature to the message,
while [SPF] can authenticate either the domain that appears in the
RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
HELO domain, or both. These may be different domains, and they are
typically not visible to the end user.
DMARC authenticates use of the RFC5322.From domain by requiring that
it match (be aligned with) an Authenticated Identifier.
-- https://tools.ietf.org/html/rfc7489#section-3.1
It simply means:
when a sender authenticates their email using SPF and/or DKIM,
at least one of the domains must align with the sending From domain
This approach is widely accepted and generally considered
a good practice to identify trusted sender domains.
**RealSender MX Protect checks the dmarc-default "relaxed" alignment:**
-
For SPF authentication
the root domain of the Mail From address must match the root domain of the From address.
Relaxed alignment allows any subdomain to be used and still meet the domain alignment requirement.
-
For DKIM authentication
the root of the dkim signing domain must match the From domain.
Relaxed alignment allows any subdomain to be used and still meet the domain alignment requirement.
**Possible results:**
-
both the rules are respected
the sender domain is fully trusted,
the message arrives unchanged
-
only one of the two rules is met
the ~ (tilde) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header
~ ... subject ...
X-RealSender: ~ | spf=pass (domain NOT aligned) | dkim=pass | ~
~ ... subject ...
X-RealSender: ~ | spf=pass | dkim=pass (domain NOT aligned) | ~
- no alignment at all
the “:: spf-diff ::” and “:: dkim-diff ::” warnings
are displayed in the subject
Tell me more
DMARC is being used by more and more companies to protect their senders from spoofing.
Its use requires proper authentication with SPF or DKIM and alignment of From / Mail-From domains.
For more information:
<dmarc> act on fraudulent email
Messages from senders with the _dmarc record,
if they are NOT authenticated, they are highlighted with two [ SPAM ] tags in the subject:
[ SPAM ] ... message subject ... [ SPAM ]
Messages without the _dmarc record, when both SPF and DKIM authentication fail,
are reported with a [suspicious] tag in the subject:
[suspicious] ... message subject ...
Request a free trial
client side sender filter
RealSender’s “spamstop” app is an efficient anti-spam solution
when combined with a filter that splits messages
according to senders that are NOT in your address book.
Most modern email clients offer this feature.
Here are some configuration examples:
in outlook settings enable: trust email from my contacts
in Thunderbird create a filter with rules 'From isn't in my address book'
Subsections of client side sender filter
Microsoft 365 Outlook
Below is the “Settings” screen in Outlook.
In “Junk email”, check “Trust email from my contacts”.
Press [Save] to record the changes.
Request a free trial
Mozilla Thunderbird
Below is a screenshot of the “Message filter” tool in Thunderbird.
Add conditions with the “Match ALL of the following” option:
- From isn’t in my address book, Personal Address Book
- From isn’t in my address book, Collected Addresses
Perform these actions:
Move Message to: Spam.
Request a free trial
server side sender filter
Not all email clients provide sophisticated ways to filter emails.
In these cases it is possible to act upstream.
The “Authorized senders” feature allows you to receive messages
only from the senders you have previously authorized:
All the regular messages will arrive as usual in your inbox.
All the spam messages will go to a different mailbox.
No emails will be lost.
You may read the discarded messages mailbox once or more a day.
You will save so much precious time.
Request a free trial
security settings
They add an extra layer of security to your emails.
To protect your email inboxes
from unwanted senders and dangerous attachments.
Topics in this area:
security option to accept emails from authorized and authenticated senders only
security option to remove all potentially harmful attachments from emails
Subsections of security settings
authorized senders only
It is useful when you want to receive emails from one sender only,
and all messages that fail the checks must be discarded.
In this case you need to be sure that the sender’s email address has not been spoofed.
This control can be done putting together SPF and DKIM authentication.
SPF confirms the sender’s address and its relationship with the server that sent out the message.
DKIM guarantees that the email (including the attachments) has not been modified since the “signature” was affixed.
In theory it’s that easy, in practice both SPF and DKIM can refer to a different domain than the from address.
We check that SPF authentication and DKIM signature are related to the domain in the from address.
In this way no other than the original sender can authenticate the email. This guarantees its origin.
Request a free trial
remove dangerous attachments
The “remove dangerous attachments” option blocks all potentially harmful attachments
except some safe extensions as pdf, txt, gif, jpg and png.
The recipient receives the message without the attachment.
A warning is added to the beginning of the content, like this:
WARNING: This email violated Your Company's email security policy and
has been modified. For more information, contact your IT Administrator.
An attachment named "example.zip" was removed from this document as it
constituted a security hazard. If you require this document, please contact
the sender and arrange an alternate means of receiving it.
On the internet there is an interesting case study, that ends with this sentence:
“For us, attachment filtering has been very successful”
– web.mit.edu/net-security/Camp/2004/presentations/reillyb-mit2004.ppt (PowerPoint presentation)
Request a free trial