Re: Response to phishing e-mails

[Nick Semenkovich <nick () SEMENKOVICH COM>]

On Thu, Oct 30, 2014 at 9:29 AM, Paul Chauvet <chauvetp () newpaltz edu> wrote:
> Aside from two-factor (which we will have eventually), we already have in
> place many of the features you've had.  I won't go into specifics, but most
> important services are only accessible via Campus IPs (or via VPN for some
> users).  Doing that with email will never really be a viable option.  We do
> have notices and alerts for 'abnormal' IP connections to our SMTP server.
> Faculty/staff who frequently travel to other countries do get whitelisted
> for these issues.  The impact of a phished email account has been reduced.

That sounds great! I think you're probably better off than most institutions :)

> What we haven't done is implement DMARC and SPF hard fails.  DMARC has its
> own problems, especially with regards to mailing lists.  In my opinion it is
> a solution that causes more problems than it fixes.  SPF hardfail causes
> similar issues in my opinion.

Sure, I'll focus here, since this thread started on phishing.

DMARC compliance has *really* improved ever since Yahoo, AOL, and
others adopted a p=reject policy for their huge numbers of users. Many
mailing lists (including this one) "just work".

(Unfortunately, without a p=none [report-only] policy, you can't even
tell if you'd have mailing list problems at all -- let alone who's
sending mail as you!)


Perhaps consider this perspective (which is an interesting one for
TLS/HSTS, too):


What if you dropped all the technical jargon, and had to ask the
administration or legal counsel for approval?

Then, the options look *really* different:

(No DMARC) "Hey, I'd like to let anyone in the world send email and
pretend to be us. Can legal sign off on that?"
(p=none) "It'd like to let anyone send emails pretending to be us, but
... we can get a rough idea of who's sending things. Is that ok?"
(p=quarantine) "Only we should be able to send mail as our university.
Messages to old mailing lists might get quarantined, though this seems
to work for Yahoo, AOL, ..."



> The phishing attempts we do receive (that get through) aren't spoofing our domain.

Perhaps true, but I'll bet they're going to other domains (along with
the usual spam, etc.) in your university's name.


- Nick


Again, I want to emphasize I mean none of this specifically about your
institution. More broadly, I've seen a surprising amount of
spam/phishing impersonating very high-profile .edu domains, either
from compromised resnets that don't filter port 25 egress, or *no* SPF
policies (which is absurd), etc. I'm happy there's an open thread on
the topic -- thanks for replying!


-- 
Nick Semenkovich
Laboratory of Dr. Jeffrey I. Gordon
Medical Scientist Training Program
School of Medicine
Washington University in St. Louis
https://nick.semenkovich.com/