How to recognize Spam & Phishing?

You’ve got mail – that’s good. But who was sending you? And is the person, you receive mail from is really the person he pretends to be? And if he was, has the content been changed during transmission? There’s so many Phishing warnings out there and we are not secure anymore, right?

E-Mail Security

Well, not necessarily. The world is not as bad as you might think about. The e-mail itself has no security implemented, that’s true. But what exactly does that mean? Let’s look at this nice graphic.

In fact it’s like this: When you send the e-mail, it is delivered through several server. And each of them can read the e-mail in plain text. Mail headers are read, time-stamp added and forwarded to the next server – that’s how e-mail worked from the beginning and is still working today. If we don’t implement any security, each of the forwarding servers can not only read the mail, they can also modify. And because it’s pure text, modification is possible on each part. Sender, subject, recipient, links, attachments. That’s where it get’s dangerous. So what can we do?

Adding Security

For adding security, there’s some main techniques, which are already covered in the post: “[Beginners guide to Deliverability] Lesson 4, Authentication and Prevention” and discussed on our YouTube channel Deliverability.TV (will be published 30th of March 2017).

In Summary, they are:

  • SPF (Sender Policy Framework): Determines which IPs are allowed to send e-mail in behalf of the domain name
  • DKIM (Domain keys identified mail): Uses public/private key signatures to make sure, that the e-mail was not modified. This includes the important information, that sender can’t be forged and links can’t be changed into phishing links.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance): Uses SPF and DKIM for authentication and adds
    • the possibility to set a policy: “How should recipient mailservers react in case of invalid authentication test?
    • reporting feedback channel: “How many messages did I receive from the specific domain and how many of them failed the authentication check?

You should do at least SPF and DKIM. DMARC doesn’t provide additional security and is more relevant for bigger companies working in security-critical industries like finance.

Adding Privacy

If you don’t want others to read your mail, you need to encrypt. In my last post, I covered this topic in detail: Security & Encryption for Mass Messaging.

Most important encryption possibilities are:

  • end-to-end: You need to agree with the recipient himself about a key. Then you can encrypt the message before sending and only the recipient can read it. It’s the most secure possibility, but requires a lot of manual work to setup – and of course it requires your communication partner to implement on his side as well. Most important technologies here are PGP and S/MIME.
  • TLS: Server-encryption between your outgoing mail server and the recipients mail server. Prevents access from all forwarding servers, but on sending and receiving server, mail is stored in plain text. For end-users, this method is more or less invisible and most mail hosters for private mail have implemented it by default.

It depends on the level of privacy which method you chose. Mass-mail advertisement is still being send without TLS in many cases to save encryption effort, but personal communication should encrypt in 2017 in my opinion without exception.

How can we detect Spam or phishing now?

An a brilliant preparation for this post, I recently registered a .com domain. What happens is, that you get tons of spam from day one – obviously the WHOIS-information with contact details is harvested (e-mail address collected) and unsolicited mails are being sent.

Fortunately, next to the automatic spam filtering, the ISP of your choice offers some hints whether the security methods, that I have just mentioned are being used and successfully tested:

GMail marks unencrypted (TLS) messages with a red lock for instance:

Missing TLS

SPF, DKIM and DMARC can be checked in the mail header. In most ISPs there’s an option called “show mail header”, “show original mail” or similar. Use the search function to check for SPF and DKIM and check if there’s a “pass” for them.

valid signature:

Authentication-Results: mx.google.com;
 dkim=pass header.i=@reply.cyberport.de;
 spf=pass (google.com: domain of suite9@xpressus.emsmtp.com designates 217.175.197.46 as permitted sender) smtp.mailfrom=suite9@xpressus.emsmtp.com;
 dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=reply.cyberport.de

failing signature:

Received-SPF: fail (google.com: domain of jobs@arbeitsagentur.de does not designate 70.40.215.63 as permitted sender) client-ip=70.40.215.63;
Authentication-Results: mx.google.com;
 spf=fail (google.com: domain of jobs@arbeitsagentur.de does not designate 70.40.215.63 as permitted sender) smtp.mailfrom=jobs@arbeitsagentur.de

In obvious cases you can already detect Phishing before checking the headers. It’s a good indication, when the contact address differs from the sending address…

contact address differs from the sending address

…or when the links lead to a different target domain than they pretend to. You can check the target by hovering the links with your mouse cursor:

links leading to a different target domain

Btw: While I would encourage everybody to click on unsubscribe links instead of reporting spam in most cases, I wouldn’t recommend that on obvious spam/phishing mails. You could infect yourself or at least indicate to the spammer, that there’s a valid recipient behind the address. This increases value of your address in the eye of the spammer and this leads to even more spam)

I don’t need to mention in detail, that spelling mistakes or e-mails in a different language are suspicious as well. Bottom line is: Mail headers tell the truth – analyze them! And: Whenever you’re not sure, be careful!

Hope this helps a bit. Contact me if you have additional questions or specific cases and I’m happy to check them for you! Stay tuned…

Florian Vierke is Senior Deliverability Specialist with over seven years of experience in all areas of E-Mail Deliverability & Abuse Management. Florian is a member of MAAWG, certified senders alliance and competence group email and maintains a regular presence at conventions and fairs like Internet Security days, email expo or dmexco.

Posted in English Posts Tagged with: , , , , , , , ,
One comment on “How to recognize Spam & Phishing?
  1. Coach Ben says:

    Amazing blog guys. Believe you me postmasters out here want to hear more from you.. Like your theme too.. Keep it going guys, I am following closely

Leave a comment