Anti-Spoof with Email Data Protection based on VIP Names

book

Article ID: 178798

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

This type of spoofing is commonly seen being used on employees that are close to the VIPs of the company. Its purpose is to make recipients believe that the mail has been sent from a trusted source based on the sender’s name. To the untrained eye, the incoming email will look legitimate and they will and may completely disregard the sending email address displayed in their email client.
This is what spammers are aiming for, they are looking for people who are not aware of this type of spoofing. They want recipients to believe that the display name in Outlook for example is actually the mailbox that sent the mail even though the email used is clearly not from the VIP user.

Cause

Bad Spoof Sample:
In this spoof example we assume John Smith is the Vip user, the CEO of yourdomain.com:
X-Env-Sender: [email protected] or X-Env-Sender: [email protected]

From: John Smith <[email protected]>

To: <[email protected]>
 

NOTE/TIP:
This policy follows the same logical structure base as shown in the article that helps with domain spoofing. In this article, we create a policy to tackle domain spoof in general. If you’ve followed the previous article, the Capture Header Information list already exists, as such you don’t need to duplicate it, use the same list as created before, use the search feature to find it. If on the other hand, this is the first time you're here, to create the list as stated below.

Resolution

Contents

 

Before you start

We will be using regular expressions in this policy. In Symantec.cloud, the Data Protection regular expression engine supports Java 7 based expressions.

Important: When writing regular expressions, do test your expressions to ensure that they work as you intend. Use the following pages to test your regular expressions:

Symantec recommends that you check the Oracle Summary of Regex Constructs for instructions on syntax. Ensure that you check the case insensitive option.

Syntax:
. (dot)
a
a|b
[abx-z]
a+
a{4,8}
\w
\b
Any character except newline
The character a
a or b
One character of: a, b, or the range x-z
One or more a's
Between (inclusive) 4 and 8 a's
A word character (same as [_a-zA-Z0-9])
Word boundary
\
ab
a*
a?
a{4}
a{9,}
\d
Escapes a special character
The string ab
0 or more a's
Zero or one a's
Exactly 4 a's
9 or more a's
A digit (same as [0-9])

 

Policy logic

Policy summary

Rule 1:
  Control VipName
   Condition 1:
    Content Regular Expression List
     - VipName Checker

AND

Rule 2:
  Header Information conditions
   Condition 1:
    Content Regular Expression List
     - Capture Header Information

AND

Rule 3:
  Exceptions
   Condition 1:
    Content Regular Expression List
     - Valid Spoof IP sources Vips
     (AND)
     - Valid Spoof Msg-ID sources Vips

   Additional/Optional Conditions
   Condition 2:
    Sender Group
     - Personal emails Exceptions
   Condition 3:
    Content Regular Expression List
     - Valid Spoof IP sources
     (AND)
     - Valid Spoof Msg-ID sources


  • Rule 1 will be true if condition is satisfied
    • Condition 1 will be true if it finds a match to 1 Vip Name from the listed Vip Name entries in VipName Checker
  • Rule 2 will be true if condition is satisfied
    • Condition 1 will be true if it finds a HELO, IP, Reply-to and/or Message-ID. Some may be absent, as it can happen with the Message-ID for example
  • Rule 3 will be true if condition/s is/are satisfied
    • Condition 1 will be true if none of the entries in the selected lists are found, that is, only triggers when the source is unknown/not listed, effectively being a non-approved source
    • (Additional/Optional Conditions)
      Condition 2 is related with the valid sources that can spoof your domain (Article HOWTO124383). Rule 3 will be true if none of the entries in the selected lists are found, that is, only triggers when the source is unknown/not listed, effectively being a non-approved source

In short, the policy will be true, that is, trigger if the incoming email contains one of the Vip Names being monitored, and the source IP and source Message-ID aren't known. Then it actions the email, saving in the process information of the Body From, HELO/EHLO, IP, and/or Message-ID used. The final report will also contain the Env-sender address, as well as the subject of the email.

 

Policy implementation

  1. Log in to the Symantec.cloud console.
  2. Navigate to Services > Data Protection.
  3. Start a new Data Protection policy, with the following options:
    • Name: Anti-spoof VIP Name Control
    • Apply to: Inbound mail only
    • Execute if: All rules are met
    • Action: Log Only
    • Administrator email: Enter a non-production administrator email address; do not use a personal email address. DP policy administrators are automatically whitelisted from all DP policies to avoid mail loops.
    • Notification: None
       
      Note: The address [email protected] below is just an example; use your own admin address.

  4. Add a new Rule
    • Name the rule, Control VipName
    • Set it to “All conditions are met
       

       
    1. Add a new condition - Content Regular Expression List
      • Click on “Create a new Regular Expression List
        • Name the list – VipName Checker
        • You’ll add the VIP names to the list with format:
          ^(from:.*?((\bFname_vip\b.*?\bLname_vip\b|\bLname_vip\b.*?\bFname_vip\b).*?<|<(Fname_vip\p{Punct}{0,3}Lname_vip|Lname_vip\p{Punct}{0,3}Fname_vip)@).*)​


        • Description of the variables: Fname_vip is the first name, Lname_vip is the Last Name.
        • Example with name John Smith
          ^(from:.*?((\bJohn\b.*?\bSmith\b|\bSmith\b.*?\bJohn\b).*?<|<(John\p{Punct}{0,3}Smith|Smith\p{Punct}{0,3}John)@).*)​

           
          This isn’t to say you’re bound by this format as presented, you’re free to change it to match your own email naming system. Change the placeholders, or add more blocks as you see fit.
          First section has 2 options
          (\bFname_vip\b.*?\bLname_vip\b|\bLname_vip\b.*?\bFname_vip\b)​

          Second section has 2 options
          (Fname_vip\p{Punct}{0,3}Lname_vip|Lname_vip\p{Punct}{0,3}Fname_vip)​

           
          Let’s suppose that you also have a 3rd option where its first letter, last name for the email. So the second section would become:
          (Fname_vip\p{Punct}{0,3}Lname_vip|Lname_vip\p{Punct}{0,3}Fname_vip|FLetter\p{Punct}{0,3}Lname_vip)​

           
          Using our sample name John Smith we would get:
          ^(from:.*?((\bJohn\b.*?\bSmith\b|\bSmith\b.*?\bJohn\b).*?<|<(John\p{Punct}{0,3}Smith|Smith\p{Punct}{0,3}John|J\p{Punct}{0,3}Smith)@).*)​

           
          Easy method to create a list using excel:
          In cell A2 type the First name
          In cell B2 type the Last name
          In cell C2 paste the following
          =IF(A2="","","^(from:.*?((\b"&A2&"\b.*?\b"&B2&"\b|\b"&B2&"\b.*?\b"&A2&"\b).*?<|<("&A2&"\p{Punct}{0,3}"&B2&"|"&B2&"\p{Punct}{0,3}"&A2&")@).*)")​

           
          This expression will match a combination of the two names in the Body From line, we know that a name isn’t unique and there’s a potential for false positives. Add one entry per VIP name.
           
          Examples of matches:
          From: john smith <[email protected]>
          From: <[email protected]>
          From: <[email protected]>
          From: “john smith <[email protected]>” <[email protected]>
           
      • Condition options:
        • Email contains: a number of matches for the regexes in the selected lists
        • At least: 1
        • Count only unique matches: No
        • Case sensitive: No
        • Look in: Header
        • Matched text: Log Matched text
  5. Add a new Rule
    • Name the rule, Feedback Conditions
    • Set it to “ALL conditions are met
       

       
    1. Add a new condition - Content Regular Expression List  
      • NOTE: These lists may already exist amongst your regex list if you've followed article HOWTO124383, use the search option instead to find them, and set the condition options as shown.
      • Click on “Create a new Regular Expression List
        • Name the list – Capture Header Information
        • Here you’ll add the following entries to the list:
          (?:1)?\(((?:HE|EH)LO(?!=)\n?.*?)\)[\s]{1,2}?.*?\n?.*?messagelabs\.com
          (?:2)?\(((?:\d{1,3}\.){3}\d{1,3})\).*?\n?.*?messagelabs\.com
          (?:3)?^(Message-ID:.+)$
          (?:4)?^(Reply-to:.+)$​


          This expression set will register the HELO, IP, Message-ID and Reply-to. Not all values need to be present, it will register all the values it finds
           
      • Condition options:
        • Email contains: a number of matches for the regexes in the selected lists
        • At least: 1
        • Count only unique matches: No
        • Case sensitive: No
        • Look in: Header
        • Matched text: Log Matched text
           
  6. Add a new Rule  

    READ ME:
    The approved sources rule serves to list the IPs and/or Message-IDs of valid senders that use the VIP names, like business partners, personal emails, etc. This information will be provided by the reports you’ll be running every few days. Steps for the below. From the report you’ll review the listed entries and decide how to approve a given valid source. The idea here is to pick the option that delivers that same result while requiring less effort to do. So if you have a source that has dozens of IPs, but follows a particular pattern with regards to the Message-ID, its probably easier to approve the Message-ID format. On the other hand you may have a source with few IPs, but quite different format of Message-IDs every time, its easier to approve the IPs in this case, or IP range.
     

    • Name the rule, Exceptions
    • Set it to “All conditions are met
       

       
    1. Add a new condition - Content Regular Expression List  
      • Click on “Create a new Regular Expression List
        • Name the list – Spoof Valid IP sources Vip
        • The first valid sources we’ll add here are your own outbound routes. It’s common for local applications to send email externally before reaching an internal user, a java mail server for example. The IPs will be added with the following format: \b123\.123\.123\.123\b
           
          Important Notes/Rules:
          1. Because we’re using a regex list, we need to escape the “.” (dot) with a “\” (backslash), as the dot means any character except the new line within the regex system
          2. For IPs where the 1st byte is a number between 0 and 99, add \b before and after the IP
          3. For IPs where the 4th byte is a number between 0 and 25, add \b before and after the IP
          4. To add comments to IPs, add the following bit of regex after the IP, (?: Your Comment Here)?
           
          Examples:
          A) Suppose our valid IP is 123.23.80.1
          1. In regex the IP is 123\.23\.80\.1. But because the 4th byte is between 0 and 25, we need to add \b, making it \b123\.23\.80\.1\b. Otherwise it would match 123.23.80.1, 123.23.80.10 to .19, 123.23.80.100 to 123.23.80.199, which isn't the desired result.
           
          2. To add an IP with a comment, have the IP instead added as follows \b123\.23\.80\.1\b(?: IP from partner ABC)?
           
          B) Suppose we have a valid IP Range: 195.168.1.0/23
          1. An IP range can be converted to regex using the following free tool: http://www.analyticsmarket.com/freetools/ipregex. Replace the symbols ^ and $ in the resulting expression with \b. If you need to know the starting and ending of a given IP range you can use http://jodies.de/ipcalc.
           
          Use IP Calculator to get first IP Address: 195.168.0.1 and the last IP Address: 195.168.1.254 of the range
           
          Use IP to Regex to get it converted, which results in:
          (Syntax not to use)
          ^195\.168\.(0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|(([0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|1\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4])))$​

           
          But, we need to swap ^ $ with \b, so the expression we'll use is:
          (Syntax to use)
          \b195\.168\.(0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|(([0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|1\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4])))\b​

           
          Or, if you'd like to add it with a comment:
          \b195\.168\.(0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|(([0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|1\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4])))\b(?:IP Range from partner ABC)?​

           
      • Click on “Create a new Regular Expression List
        • Name the list – Spoof Valid Message-ID sources Vip
          This list serves to approve sources based on the Message-ID. Sample and first temp entry
          ^(Message-ID:(?:.*?)@dummy\.domain\.symantec\.cloud>)$​

           
          The initial segment will be static, ^(Message-ID:(?:.*?)@ and so will >)$. The area between @ and > is where the pattern for the domain is added.
          Example: ^(Message-ID:(?:.*?)@pattern[23]\.domain\.com>)$, where the sending msg-id can be Message-ID: <[email protected]> or Message-ID: <[email protected]>
           
          Let’s suppose you use Office 365, the following expression can be used to validate Office 365 servers when it’s the source of the email:
          ^(Message-ID:.*[email protected][a-z0-9]{3}pr[0-9]{2,4}mb[0-9]{3,4}\.[a-z]{3}prd[0-9]{2}\.prod\.outlook\.com>)$​

           
          Note: Avoid using your own domain as a valid source as a Message-ID exception, use IPs to approve your own sources. Message-ID sources are useful to approve externals sources when it’s easier than approving the IPs.
          Other conditions are possible as exceptions like for example HELO commands, and other header elements that may be used to uniquely identify a source, but be aware that HELO's can be forged easily.
           
      • Optional lists
        The Exception Lists above are to list the sources that have been deemed allowed to send emails on behalf of the listed VIPs. We decided to split the allowed sources of domains from the allowed sources of VIPs because a source that can spoof your domain doesn’t necessarily mean it should be allowed to spoof your VIPs. But depending on your policies, you may think otherwise, therefore if you have followed article HOWTO124383 you may opt for adding the Exception Lists created in that policy here. Use the search option to find the other This will result in this condition having 4 lists, 2 of Vip exceptions and 2 of domain exceptions. The condition options remain as shown below.
         
      • Condition options:
        • Email contains: A match for none of the regexes in the selected lists
        • Case sensitive: No
        • Look in: Header
        • Matched text: Log Matched text
  7. Review and Save the policy

 

Report

 

Reports Location:

Access the Clientnet portal > Reports > Report Requests
 

Requirements

Before we can create the report, you’ll need to ensure you’re using the local main account or a secondary user with the role/permission of “View Sensitive statistics” assigned to it. Secondly, we need to ensure the following options in Data Protection is activated. For those that have a partner, or you’re a partner creating this policies/reports on behalf of your client, your partner account won’t work to create this report, again it needs to be a local user to the account with the correct role.
 

Access the Clientnet portal and go to Services > Data Protection > Settings

On the settings, window scroll down and tick both options in Reporting, Save.

Reporting

Tick > Show matched content on reports

Tick > Show surrounding text on reports
 


 

Report for policy Anti-spoof Control

  1. Start a new Report
    • Give it a meaningful name, Anti-spoof Control Report
       

       
  2. Select Data
    • Select Email Detailed Report (CSV)
    • Tick Data Protection
    • Click on Advanced Settings
      • Under Policy Name: Ensure the name matches the exact name of the policy, for this example we defined the policy name as Anti-spoof Domain Control, so we’ll use it here.
         

       
  3. Reporting period
    • Time zone: GMT (pick your time zone)
    • Report period: last 3 day(s) (a good value to start)
    • Tick Schedule
      • Run the report request: Daily at 8:00AM (pick a time that suits you)
      • Every: 3 Days
      • Until: Forever
         

       
  4. Delivery
    • Report available: as an email attachment
    • Recipient(s): you can add up to 5 recipients
    • The other options can be left default
       

       
  5. Confirm request
    • Review your choices and submit

Example of how a report would look like in excel, with non-relevant columns hidden:

  A B C D E F G H I
1 Time Period Email Subject Email To Email From Matched Content
2 16/08/2016 22:48 Subject Line [email protected] [email protected] 12.12.12.12, HELO server1.sender.com, From: "Some Name" <[email protected]>, Message-Id: <[email protected]>
3 16/08/2016 21:31 Some Subject [email protected] [email protected] 30.40.50.60, HELO srv23-exh2.domain.com, From: [email protected], Message-Id: <[email protected]>

 

Final Steps

 

With everything set in motion, the work will now be focused on analysing the report every couple of days, work out the valid spoof sources and approve them in the Exceptions condition. This process may take several weeks depending on the email flow and number of individual valid sources. The recommendation is to only change the action of the Anti-spoof Domain Control policy once you can accept the reduced risk of false positives, which after several weeks and a good deal of approvals later should be minimal.
 
After Log Only, the next action we’d suggest is Redirect to Administrator, in which the emails get sent to the specified admin email used in this policy. This admin email would be a specially created mailbox for this purpose, where the goal is to keep emails just in case a false positive happens, so that you can retrieve the email.

 

Attachments