Defense in depth: How phishing emails make it to the inbox

Phishing and spam emails have to defeat a series of barriers to get to the inbox. Are all the defenses in place?


Ever since email has become popular, perhaps the one most effective way bad guys have been exploiting people is with spear phishing attacks. These are the email messages sent to specific individuals, or sometimes a whole group of people, to try and make them click on a link or open a file that contains a virus. From the compromised systems, attackers can do anything the user can, including read keystrokes, record passwords, documents, banking information, and so on. Phishing emails have become such a problem that a number of security procedures have been set in place over the years in order to protect us from these types of attacks. As IT pros, we deal with the aftermath. We handle the users and systems that already were compromised. Here is a look from the other side, showing an inside view as to how these emails are crafted, designed, and sent out, along with some of the barriers that these people have to go over.

There's a misconception in the general public that the only people able to hack into large corporations are uber geeks, dressed in fancy clothing, and paid millions by organized crime in order to carry out their attacks. In most cases, that's just not the case. Most hacks don't happen because some very intelligent hacker figured a way to break an encryption method; instead they happen because someone makes a mistake. It could be that the designer of one of the corporation's many web portals left a bug in, and someone finds it, or more often than not, after the attacker sends thousands of phishing emails, just one person inside the organization takes the wrong decision and opens it. From there, the attacker just gained a foothold inside of the corporate network. People might do it for fun, for an act of hacktavism, or for money, turning the hacked data over to criminal organizations, often for just a few dollars per account stolen.

The barriers to spam and phishing emails

The first challenge for the bad guy is SMTP itself, the protocol used to send emails. In the old days, anyone could run their own mail server in their house and start sending spam emails. Now, most Internet providers are much stricter. Many block you from sending emails by yourself, instead requiring you to use an outside service such as Gmail, Yahoo or Hotmail. These in turn have a lot of filters and automated checks in place to detect and block unwanted emails. Using traditional email clients would not be very effective if you want to send a lot of phishing emails, so what attackers typically do is use a bulk mailing software to defeat some of these protections. Modern tools include all sorts of features that allow them to get their emails through. The first is the ability to stagger sending. By clicking one button, you can have the program send emails all night long with a few seconds pause in between each. They also offer proxy features. By loading a list of proxy addresses, or servers that can work as relays, they can appear to come from various addresses all over the world.

The next set of barriers is aimed at analyzing the received messages and trying to see if they are legit. One big feature of phishing emails is that they appear to come from a legitimate domain, but in fact are not. If the attacker is attempting to make you believe the email is coming from PayPal, then the From address has to have that domain name in it. This is where two technologies come into play: SPF and DKIM. The Sender Policy Framework, or SPF, works at the SMTP level to check if your originating IP is authorized to send emails on behalf of that domain name. Domain owners simply set a TXT record in their DNS that specifies which hosts are allowed to send email from them. Obviously, if someone in Russia is attempting to send email that claims to come from the US PayPal domain name, that should raise a red flag, and it does, thanks to SPF.

DKIM doesn't check IPs, instead it signs message content. The DomainKeys Identified Mail standard is used by many mail servers and adds a header to any email message that goes through that server. Then, other servers that receive this message can query the DNS system for the key to verify the signature. That way a person or organization can take responsibility for messages sent from a particular domain. Of course not all domains use SPF or DKIM, but if they do, they can advertise that fact with a DMARC entry in their DNS. Finally, there's one last way to prevent a bad email from arriving in the first place, and that's with black lists. Spamhaus is perhaps the most well known provider of spam lists. In partnership with many Internet companies out there, they keep track of IP addresses that send spam, and create lists of blocked addresses. That way, a server can quickly check the originating IP, and if it's on the list, then it simply closes the connection, forcing attackers to constantly look for new proxies.

If an attacker is clever enough to bypass these protections, then the only protection left is in the form of spam filters, often installed either on a web server or on local computers as part of an anti-malware solution. Spam traps are used in order to identify phishing emails, which is why crafting the message itself is one of the most critical tasks for bad guys. These traps look at the content itself and try to find out if it's a dangerous message. This can include how old the domain name is, such as if it was registered just a few days ago, then it may be a disposable domain name used for phishing. If there are links, then do the links go to different places than what the text says? That is an old and effective way to mislead users. The From address is also critical, and how many web mail systems can alert you that a message might be spam, if the actual origin is different than what the user sees? Attachments used to be a big attack vector as well, but now modern clients block unsafe attachments, and scan others. HTML is now a standard for email instead of plain text, so care must be taken by email clients to make sure it's valid code, and the content doesn't include red flags like scripts, badly formed tags, frames, and so on.

The fact that there are so many different servers and clients out there, and so many attackers trying to get in, means phishing is unlikely to stop. Typically, getting in isn't the result of finding a new, miraculous way to break one of these protections. Instead, it's a long and tedious process from the bad guys of sending slightly altered messages and seeing if they get through, until they get it just right. After all, the balance is heavily on the side of attackers if they have enough patience. Your protections have to block every bad email, while the attacker only needs to have one get through and be opened up.

By Patrick Lambert

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...