Given how complicated it was to set up organizational email services in the previous decade, today’s self-service offerings from Microsoft and Google have significantly eased the process of setting up email for your-company.com with an affordable, highly-reliable and relatively secure provider. It literally takes a handful of minutes (if you know what you are doing) to go from zero to email, but there are still plenty of gotchas that can render your new service less than perfect. If your recipients keep finding your emails in their junk folder, it’s possibly worse than not having email service at all. It would be impossible for me to outline all the ways in which this may happen, but there is a common gotcha you might want to investigate.
SPF? Is my email getting sunburnt?
Recently several of our clients have had problems with email delivery caused by incorrect SPF records. In this case, SPF is an acronym for “Sender Policy Framework” and not “Sun Protection Factor”, but much like forgetting the sunscreen on your day outside, not having proper email SPF will result in you getting “burned” as your emails are marked as spam by your recipient’s email servers. Without getting into the bloody details, the Sender Policy Framework is one way email servers use to verify the sender is who they say they are, “Is this email actually from C2, or is someone spoofing the sending email address?” While spoofers can fake your email address, they can’t typically change your SPF record (if they can, you have much bigger problems), so it’s a reliable source of verification if it’s set properly!
Here’s how you will know your email is getting marked as spam for having an improper SPF record. From your company’s account, send an email to an outside email address that you have ready access to, such as a personal Gmail or Yahoo account. You will need to check the headers on that email for SPF failures – the formatting and verbiage you need to look for in the headers will vary depending on the recipient’s email provider, but Google returns failures that look like this:
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate ##.##.109.66 as permitted sender) client-ip=##.##.109.66;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20210112 header.b=TJLH3iac;
spf=softfail (google.com: domain of transitioning [email protected] does not designate ##.##.109.66 as permitted sender) [email protected]
If you find “Fail” anywhere in the header, that email will likely get marked as spam and will end up in Junk or Spam folders rather than the inbox. Now how does something like this happen? If you’ve gone through your providers guided setup process, or had email set up by someone like C2, your SPF records will be set properly, but if you recently made changes that might alter your DNS (like a website redesign!) or engaged a new cloud service that sends emails on your company’s behalf, you may need to check your SPF record to ensure it is set properly. You can check your current SPF record using a free tool at MXToolbox.com (not a sponsor, we just like the tools), but unless you are well-versed in DNS and domains, you may not be able to easily interpret the results. Either way, if your emails are getting delivered to spam regardless of your recipient’s whitelisting efforts, an incorrect SPF record may be the culprit and should be addressed as soon as possible!
Image by CrafCraf from Pixabay
Canadian lawmakers have finally had enough spam in their email boxes and just passed legislation which essentially outlaws all unsolicited commercial emails. If you want to send commercial email to a Canadian, you must have their express consent, regardless of where your company is in the world. At first blush, you may be tempted to say, “Good for them. Fight the good fight, Canada!” and you’d be counted sane to believe this was enacted with good intentions, but we know where those types of roads sometimes lead. As many others have pointed out, this will likely negatively impact the businesses and organizations we do want to hear from, and will have little to no impact on spammers who already ignore laws, ethics, logic, spelling and common sense. Rather than having an inbox filled with all sorts of email, Canadians can look forward to only getting spam from scofflaws. Oh, and a ton of emails from companies asking for their permission to keep their addresses on their lists.
What this means for you:
If you send commercial email to your clients or customers, and some of them happen to be Canadian, you now have to sort them out and get a positive confirmation from them, regardless of whether they had actively or tacitly agreed to be on your mailing list. In other words, you have to send out what is likely to be viewed as an unwanted email to someone who already has too much email, asking if they are OK with you sending emails to them in the future. The fines for violating CASL are quite stiff (up to $1M for individuals), so you can be sure businesses with Canadian customers are taking this very seriously. And this law isn’t just limited to advertisement emails. This newsletter is technically an email with commercial intent, and if I were to send it to Canadians without their express consent, I could be held liable. Is a law similar to CASL likely to be considered in the US? Seeing as our politicians have trouble agreeing on just about anything lately, I’d say we’d only have to worry about the Spam Mounties for the moment.
Image courtesy of renjith krishnan / FreeDigitalPhotos.net
Malicious agents continue to use increasingly sophisticated email templates to fool victims into installing malware on their computers. Most recently, people have been falling prey to an email that appears to be from Dropbox.com, a very widely used cloud storage website. The email uses Dropbox artwork and is kept short and to the point: it warns the user that they need to change their password and provides a link (which, of course, leads to a hijacked website). Adding to this email’s apparent credibility is the fact that Dropbox has engaged in this very same practice to legitimately warn users about password changes. Couple this with the fact that it’s highly likely you have a Dropbox account, and the hook is set before you know it.
What this means for you:
Whenever you receive a warning like this, the safest method to take action is to manually type the URL of the service in question in your browser and never click links in the email, unless you are confident they don’t lead to a hijacked website. Most email clients, including web-based ones like Gmail and Yahoo Mail, allow you to roll over the links in any email and see the actual linked destination (it may take a second or two, be patient while hovering), as it’s trivial to fake the visible destination while sending you down a dark road to infection. For more tips on spotting fake emails like this one, read my previous post, “Fake Emails are Getting Harder to Spot“.
If you’ve taken to heart any of the security advice or practices that I or many other technology professionals have been dispensing for the past few years, you’ve probably developed a healthy skepticism for any emails that land in your box that are unexpected and contain unfamiliar links. Even more so if your email provider marks the email as spam or a possible phishing attempt.
For example, I recently received an email with the subject “iPhone iPod touch Class Action Settlement” that was immediately marked as spam by Gmail. This email purportedly offered me a part of a class action settlement with Apple. Seeing how many people own iPhones and iPods, it seemed like good phishing bait so I assumed this was yet another scam. It had all the trappings of a well-made con:
- broad target demographic
- based on a recent, actual event
- contained lots of official-sounding text that didn’t read like a 4th grader wrote it
- no overt clues that the sender was an obvious bad agent (non-US domains, inappropriate reply-to addresses, spoofed mail headers, etc.)
It would probably lure people into clicking a link that would either load up their machines with malware, or entice them into giving up some personal information that would later be used in an identity theft attempt. I opened it up with the intent of warning my audience and clients about the potentially well-crafted fraud.
As it turns out, this is a legitimate email that Gmail incorrectly identified as spam, probably because the sender was flagged as a spammer by justifiably suspicious readers like you and me. A little research online reveals this is part of the original case that made headlines back in May of this year. Emboldened by this information, I used Chrome (bolstered by a variety of anti-scripting extensions) to visit the included link, and, lo and behold, it’s a legitimate website. Because of the relative newness of this initiative, there isn’t a lot out on the web about this yet, so unless you are an experienced internet researcher, your searches might have come up with little evidence that this was a legitimate email.
What this means for you:
Most cautious internet citizens might have trusted their email provider’s guidance on this and just deleted this email, potentially missing out on as much as $200 as a settlement award. False positives are an unfortunate side-effect of a proper security protocol, and in this case, even Google didn’t provide enough information to immediately assuage my suspicions, and a few search results actually led to conversations where people immediately labeled it as a scam. Sometimes the internet does not provide instantaneous answers, nor is it always right, and as always, you should always take your search results with a grain of salt, especially if there is money at stake. If your search results turns up a dearth of information, your best course of action is to wait a few days for the internet to catch up (it always does!) and research again, or to contact a tech expert like C2 Technology to get a second opinion.
Image courtesy of David Castillo Dominici / FreeDigitalPhotos.net
Just this past week I received 2 emails that looked very legitimate, but were in actuality very cleverly designed phishing emails meant to trick unwary individuals into making some bad decisions. And when I say “cleverly designed” I mean that even to my experienced eye, the emails looked very real, with properly implemented graphics, clever use of recognizable branding and even using text from actual legitimate emails to camoflauge the hook.
How did I know they were not the real deal? Well, first off, Gmail’s spam filters flagged them right away (score one for Google!) but there were a couple of other things that immediately marked them as fishy, and a little more investigation revealed the true colors of these sophisticated phishing attempts. These types of emails will happen more frequently once the cybercriminals realize how much more effective they are, so I think it’s time I showed you some techniques for spotting counterfeits before they trick you.
Apply Common Sense
Are you a customer of the company, service or brand that sent you an email asking you to do something? Is what they are asking you to do something that makes sense for that particular company/service/brand? In the example here, I received an email that looks like it was from ATT notifying me that my monthly account was ready for review. OK, this would have passed the “smell test” for me a couple years ago, but I’m not an ATT customer anymore. However, ATT is the largest cellular provider in the US, so it’s not inconceivable that many, many people thought this was a legitimate email.
Who’s the email from? And who is the actual recipient?
In the fake ATT email, you can see clearly that the sender on this email is totally bogus (outlined in RED at the top). Why would ATT be sending an email from the IRS? Always look closely at who the sender was on the email, especially if it looks like it’s something you might expect to see in your email box. Is that email address actually correct. Call up the sender to ask if they actually sent the email.
In my second example, the sender actually looks like it might be legitimate at a passing glance. They got the domain right, so now you have put your security glasses on and take a harder look. This particular email was sent to a recipient address that is an alias for a webmaster inbox for one of my clients. I know for a fact she uses Quickbooks, but I also know she would never have used this particular email address to register the product or create an account because it goes to my email box, not hers. On top of this, there are several other addresses in the CC field (including 2 that weren’t actually email addresses), something you should never see when receiving a legitimate, automated email from a company like Intuit.
But once again, the content looks legitimate, and it’s not unlikely that the phisher landed a few hooks, considering how widely used Quickbooks is in the business world. So, let’s dig a little deeper!
Are the embedded links legitimate?
Outlook provides a handy feature that allows you to roll over a link in an email and see the actual URL of the link, even if it isn’t typed out in the email (which it never will be in a phishing attempt). Webmail users may not have this function handy, depending on the browser and the service you are using. Regardless of what program you are using, NEVER CLICK LINKS THAT YOU CAN’T ACTUALLY VERIFY, AND IF YOU HAVE THE SLIGHTEST HINT OF DOUBT, STOP CLICKING AND START DIALING FOR A HUMAN! (If ever there was a justified need for all caps and bold, that was it.)
In my two examples, you can clearly see that neither of the “call to action” links actually go to sites that have even the remotest connection to either of the services they purport to represent. Why would my American ATT account need me to click a domain in Australia? Why would I ever download US Withholding Data from a domain with “latina dot com” in the name?
What this means for you:
These types of emails will continue to become harder to spot, and I will guarantee you that the cybercriminals will continue to improve their counterfeiting techniques once they see how effective they are as compared to the past easy-to-spot and detect trash that normally fills our Junk folders. Unless the good guys come up with better ways to protect us (and they haven’t yet!), the best defense is (as my good friend Prof. Moody likes to shout) “Constant vigilance!” Take the time to read all emails carefully, and think twice before clicking once.