Open in app

Sign in

Write

Sign in

Email Security — Type of Email Attacks

Shahzad Subhani
7 min readFeb 10, 2022

The Purpose of this article is to provide a simplified version of email attack types . This is my second article of my series on Email Security . You can read the first article on Email Security basics .

Following are different types of Email Attacks .

  1. Email Relaying
  2. Spam/Unwanted Emails/Marketing Emails/Newsletters
  3. Malware (Viruses/Worms/Trojans/Spyware/Ransomware)
  4. Spoofing (People Sending you email from Spoofed Domains)
  5. Phishing/Spear phishing
  6. Impersonation ( Other People sending email on your behalf)
  7. Dos/DDOs (DoS stands for Denial of Service)

Lets talk about each of them briefly .

Email Relaying

Email Relay means Sending Emails though an SMTP Server .Email Relay becomes an attack if attacker uses your SMTP Server to relay emails to another Domain ,without your knowledge .This used to be a very common attack in early days of SMTP and worms OR trojans using misconfigured Company Servers to send emails . However these days most servers are Configured and well protected by default .

Email Relaying Example

Go to Mxtoolbox.com and do Mx lookup for any domain e.g. gmail.com .Click on SMTP Test. Mxtoolbox Servers will try to test the Servers and give you this kind of report . Try this for any other domains as it is public information .

gmail smtp check

Here are more details on what actually happened in the background . You can see that the MX Toolbox Server tried to send a email to another domain (Instead of gmail.com) and it was rejected as Gmail will only accept emails which are sent to Gmail.com .

Email Relaying Prevention Tips

In order to prevent email relaying , you should configure your Email Server/Gateway to receive Incoming Emails only for your Domains . For outbound Emails , only allow authorized IP Addresses to relay emails .Also port 25 access to email gateway OR email server should be given to selected IP addresses only .

Email Spam

  • Any Kind of Promotional , Unwanted Email, Marketing Email is considered as Spam . Most common example is drug related spam
  • Every Organization receives and blocked hundreds of Spam emails every day
  • People use corporate account on different sites , Their Email addresses gets stolen and then used by spammers /Newsletters Spam
  • Emails with too much graphics or Short URLs are also classified as Spam by many Email Gateways

Practical Tips to Prevent Email Spam

  • Always keep looking for False Positives as some good emails are marked a spam as well . Such domains or senders can be whitelisted .
  • Block all emails from Google Groups or other Mailing lists as people should not use corporate accounts for mailing lists

Email Malware/Ransomware

  • This is a very Common Attack . Normally executable files are sent over email OR malicious links are sent in email bodies and user is enticed by subject OR key words to click on it .
  • Executables extensions are changed to doc or xls or anything benign
  • Excel OR word documents are sent with hidden malicious macros in it

Email Malware/Ransomware Prevention

  • End user should think twice before clicking on a link especially if he is not expecting such email
  • Always block Executables however some time executables extensions are changed to doc or xls or anything benign .Email Gateways that identify True File Type can detect and Block Such Emails .
  • If your Email Gateway Supports , remove macros OR any codes from incoming PDF, Word and Excel Files . In Symantec Messaging Gateway , they provide such Option under the DISARM feature .
  • Emails with URLs can some times skip through if email gateway is not able to check URL however these days email gateways provided you the option to disable any URLs in email body .This is a good safe option and should be used .
  • Additionally a big organization also needs to add another layer of sandboxing in order to prevent zero day attacks or targeted emails with malicious attachments.
  • User Awareness is very Important and they need to think twice before clicking on a Link especially if they are not expecting such email .

Email Spoofing/Phishing

• A Spammer/Attacker sends an email that has been manipulated to seem as if it originated from a Trusted Source .

  • To put it simply , People are sending your email from baddomain.com but it appears to you as gooddomain.com
  • Spoofed email can be used to get the user click on a link OR an email from CEO to a CFO asking for an Urgent Wire Transfer . Just search about BEC (Business Email Compromise) attacks . These are very common attacks and some organizations have suffered from it.
  • Spoofing is done to hide the real identity of attacker and is mostly used as part of a Phishing attack
  • Phishing occurs when attacker sends a fraudulent email disguised as an authorized and trusted source. Intent of email is to get personal or financial information OR trick the recipient into installing malware on his/her device .
  • EHLO name is different however FROM , REPLY-TO and RETURN-PATH are spoofed and User Email Client shows Spoofed FROM address .

Spear Phishing

  • Spear phishing is a highly targeted phishing attack.
  • Phishing and Spear phishing both use emails to reach the victims . However Spear-phishing sends customized emails to specific person/organization and criminal researches the target’s interests before sending the email
  • In some real world scenarios , some organizations OR their employees are hacked and then emails are sent from those organizations to their Partner Organizations . Due to email coming from a trusted organization , Chances of clicking on a link OR opening an attachment is very high .

Email Spoofing Example

  • This is an email spoofing example and you can see that it was not blocked by Gmail however they did add a question mark but how many people will notice that .
  • For those who want to try , It was Sent via https://emkei.cz . You can do a google search on Online Email Spoofing and try some yourself .
spoofed email sample

Email Spoofing/Phishing Prevention Tips

For Inbound Traffic , Configure your Email Gateway to check for the following

  • Use Local/Global IP Reputation Lists to block or defer at connection level
  • Use DNS Validation and Reject connections for IP Address which do not have Reverse DNS Record
  • You can also Reject connections where the reverse DNS record exists for the connecting IP address, but the ‘A’ or ‘AAAA’ record of the resulting domain does not match the connecting IP address
  • Check if EHLO/HELO Name is real OR fake by checking if the domain provided at HELO and EHLO has neither an ‘A’, nor an ‘AAAA’, nor an ‘MX’ record in DNS
  • Reject messages where the domain provided in the MAIL FROM address has neither an ‘A’, nor an ‘AAAA’, nor an ‘MX’ record in DNS
  • Configure Spoofing checks if there is a mismatch between Envelope Sender (MAIL FROM) and FROM Address . Envelope Sender is the address used at Email Handshake Level ( MAIL FROM)

Most Mailing Lists used different Envelope Sender and FROM . You need to start making exceptions else they will be blocked as Spoofed emails .

Caution : DNS Checks at handshake level can impact System Performance so you need to find a good balance.

Email Impersonation

  • Email Impersonation means abc.com sending emails to someone.com as xyz.com .
  • This is happening out of your Network so you don’t have much control however there is a way .

Email Impersonation Prevention Tips

  • Incoming Emails should be checked for SPF and DMARC Failures and they should be blocked or tagged .
  • Impersonated emails to other organizations can be prevented by adding Trust to your Outgoing emails
  • Trust can be added to the Organization’s outgoing emails by using a combination of SPF, DKIM and DMARC .

Email DoS/DDoS Attacks

  • An Email DoS Attack means that attackers send you so much emails that your Email Servers are not able to handle the load and crash. As a result , you should not be able to receive any legitimate business emails .
  • Such Attack can be used to cause business/reputation Loss especially if the organization business is conducted via emails
  • These attacks are not very common however there is still a possibility •

DoS/DDoS Attacks Prevention Tips

Such Attacks can be easily prevented by following

  • Limit number of maximum connections to be handled by your MTA
  • Limit number of connection per IP Address
  • Limit number of recipients for each email
  • Limit number of messages/emails sent in one session
  • Define a queue size and defer connections when your inbound queue is full
  • Use Local/Global IP Reputation Lists to block or defer connections at connection level

Conclusion

I hope that you will find this article useful . I have made a detailed video on this . You can check out this Email Attacks Video . Please follow if you want to read the third and last article in the series .

Email Attack
Phishing Attacks
Email Security
Spear Phishing
Spam

--

--

Shahzad Subhani

Written by Shahzad Subhani

96 Followers

A Seasoned, Enthusiastic Information Security Professional.Founder of GISPP, a Global community Platform for Pakistani Information Security Professionals.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams