Educause Security Discussion mailing list archives

Re: Notifications of external emails

From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU>
Date: Wed, 8 Feb 2017 17:25:30 +0000

Appending a footer is something we’re also considering, but I fear that by the time the user read to the bottom of the 
message, they had already fallen for the phishing.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Wednesday, February 8, 2017 10:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Notifications of external emails

I have seen an increasing an increasing number of institutions (Mostly outside of Higher Ed) that are appending a 
footer to all messages that come from outside saying 'This message came from an external source, be careful"

here's one from our local hospital

[Inline image 1]

The problem comes then from modifying the body of the message, and that can invalidate digital signatures (DKIM, S/MIME 
for example)

Frank

On Wed, Feb 8, 2017 at 11:19 AM, Harris, Brent <BHarris () umhb edu<mailto:BHarris () umhb edu>> wrote:
Interesting topic – haven’t tried this but brainstorming and googling brings a couple of thoughts:

Exchange Message Classification might be useful for this (if you’re running Exchange).

You might be able to use your inbound email scanner to inject text into the header, that would not be seen by the end 
user, and use that header text to trigger a rule that would categorize or format those message to signify that it came 
from outside the organization.

Brent Harris
Vice President for Information Technology
University of Mary Hardin-Baylor

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Thomas Carter
Sent: Wednesday, February 8, 2017 9:18 AM

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Notifications of external emails

This is more to combat the traditional “HR is validating your last paycheck. Click the link and enter your account 
info” type of phishing. Something procedural will get generally ignored by many departments when sending out emails, so 
we’re looking for something more automatic.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564<tel:(903)%20813-2564>
www.austincollege.edu<http://www.austincollege.edu/>
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Napier, 
Mark E
Sent: Wednesday, February 8, 2017 9:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Notifications of external emails

What about encouraging or requiring your users to use S/MIME to sign their emails? That would also cover the situation 
in which a machine on the internal network is engaged in pushing. (In most cases, anyway)

--
Mark E. Napier   MIS, CIPT
Deputy Director of Information Technology /
Chief Information Privacy and Security Officer
School of Informatics and Computing
Indiana University








On Feb 8, 2017, at 9:57 AM, Thomas Carter <tcarter () AUSTINCOLLEGE EDU<mailto:tcarter () austincollege edu>> wrote:

We are trying to combat phishing by making users more aware of emails that come from outside campus vs internal emails. 
We’ve trialed using a mail rule to modify the subject line and prepend a flag (like “EXTERNAL:” or similar) but users 
complained it caused confusion (?) and they didn’t like emails to be modified. I suspect a disclaimer added to the body 
of the message would be either ignored or disliked for the same reasons.

Has anyone else done something to somehow flag external emails? What was the feedback? How well does it work?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564<tel:(903)%20813-2564>
www.austincollege.edu<http://www.austincollege.edu/>
<image001.gif>




--
Frank Barton
ACMT
IT Systems Administrator
Husson University
--- This is an external email -----

Current thread:

Notifications of external emails Thomas Carter (Feb 08)
- Re: Notifications of external emails Napier, Mark E (Feb 08)
  - Re: Notifications of external emails Thomas Carter (Feb 08)
    - Re: Notifications of external emails Harris, Brent (Feb 08)
    - Re: Notifications of external emails Frank Barton (Feb 08)
    - Re: Notifications of external emails Thomas Carter (Feb 08)
    - Re: Notifications of external emails Valdis Kletnieks (Feb 08)
    - Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Cecka, Benjamin (Feb 08)
    - Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Frank Barton (Feb 08)
    - Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Klein Keane, Justin (Feb 08)
    - Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Alan Amesbury (Feb 08)
    - Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Frank Barton (Feb 08)
- Re: Notifications of external emails Adam Maynard (Feb 08)
- Re: Notifications of external emails Miller, Richard H (Feb 08)
- <Possible follow-ups>
- Re: Notifications of external emails Johnson, Kyle A (Feb 08)