Monitoring & Intelligence

Monitoring & Intelligence

So how do you establish how bad a fraudulent Email problem your organisation may be suffering from is, or for that matter, how well any controls you might put in place are working? The problem is Internet (SMTP) Email is rather, ‘fire-and-forget’, and excepting non-delivery reports (NDRs), you may know little about fraudulent Email being sent in your name.

5.1 Customer Feedback

One option is to provide customers a feedback Email address to which they can forward suspected fraudulent Email. This is fairly common, although sadly there is little consistency in address naming making it more involved and confusing for customers, for instance:

We would propose you use something short, simple and memorable and ‘phishing@’ meets these objectives well. Names unique to your organisation are less liable to be used than the more ubiquitous and so more memorable, ‘phishing@’ address is akin to ‘info@’ as a generic widely known address. In the author’s view, addresses such as ‘Ihaveseenascam@’, while creative, are less likely to be remembered and so less likely to be used, reducing customer feedback.

While customer-forwarded Email provides you copies of fraudulent Email in circulation, it suffers a number of limitations:

  1. Reporting may be sporadic
  2. Forwarded messages will lack the original message headers and so will not provide information about the original source of the message
  3. Reporting will tend to be some time after-the-event based on how frequently the customer checks their Email


You can request customers forward suspected mail as soon as the receive it and even provide information on how to copy and paste original message headers, however, it’s unlikely such advise will significantly improve this channel as a means of obtaining intelligence on fraudulent Email activity.

5.2 Tracking Real-World Traffic

The DMARC mechanism described in section 4.5 can provide aggregate statistics and failure (or forensic) reports by Email – although many ISPs do not provide the more detailed failure reports as explained previously.

Analysis of the aggregate data reports therefore gives you a view of real-world mail volumes observed by ISPs and their ‘disposition’ towards these messages; whether the messages passed or failed any SPF or DKIM policies you might have in place and whether the ISP considered them fraudulent and applied anti-spam policies. You do of course require a mechanism to consume the zipped XML files and make sense of the data being delivered.

A supplementary means to gain information is via the use of a specialist Email monitoring service. These services may employ spam traps; honeypot Email addresses established for the sole purpose of collecting fraudulent Email for analysis, and some may have partnerships with major public Email infrastructure providers for the exchange of redacted information. These partnerships result in the Email service provider giving information about mail flows and the monitoring service providing information back about suspected fraudulent Email suitable for handling as spam; ultimately it’s in the Email service provider’s interest not to permit their infrastructure to become filled with spam no one will want.

These monitoring services may also be capable of consuming your DMARC reports and so provide you a ‘mechanism’ to turn the raw XML data into actionable information.

Between them, DMARC reports and Email monitoring services provide you the best means to understand the scale of problem your organisation or brand faces. Obviously this data will only represent a proportion of total Internet Email traffic, however, the data will provide you an indication of relative levels of fraudulent Email at any one time.

It is also possible to scale the Email volume figures obtained as the data will include details about your legitimate Email traffic. Therefore, knowing the volume of your legitimate traffic vs. the data reported, it’s possible to get an approximation of percentage of total Email in circulation the data represents. This can then give you a scaling factor to apply to all data and so provide an indication on the absolute numbers of fraudulent messages in circulation. It’s only an approximation, but it’s much closer to the real number than having no idea at all.

5.3 Take-Down Services

Many fraudulent messages use compromised websites to host fake login, refund application or other pages to which the message directs the user. Alternatively, messages carrying malware attachments require a host to which stolen information will be forwarded or to a botnet command-and-control (C&C) centre from where further instructions can be obtained.

Specialist take-down services exist that will trace the compromised website or location to which information stolen by malware will be sent and attempt to have the fraudulent pages removed, C&C closed and generally disrupt the theft of customer information. This then limits the effectiveness of fraudulent ‘campaigns’ once parts of the component infrastructure can be identified and disabled.

To assist in the rapid disruption of fraudulent campaigns, the Email monitoring services described in 5.2 Tracking Real-World Traffic often provide the additional benefit by providing copies of the redacted messages they receive from their Email service provider partners to a take-down service. Indeed the Email monitoring service may even incorporate an integral take-down service. The ‘always-on, always monitoring’ nature of these services then significantly decreases the delay between fraudulent Email being sent, being detected and then countermeasures being taken to disrupt the campaign.

Note that DMARC is less able to provide this assistance due to the limited adoption of failure/forensic reports by ISPs. Without copies of the actual messages, a take-down service is unable to identify component infrastructure being used to commit the fraud and so move to disable it.

5.4 Tracking Malicious Domain Registration

Email monitoring and take-down services are both reactive mechanisms; they wait for fraudulent Email to be sent, the monitoring observes the messages and the take-down services uses the information obtained to identify component infrastructure and move to disable it.

Another mechanism is the pro-active monitoring of domain name registrations. Some fraudulent campaigns look to register a domain name that looks as if it refers to the true organisation. The domain name is then used to add legitimacy to the campaign and increase the trust the Email recipient will have in any fraudulent Email. Such domains are often registered a few days before the campaign is launched providing a window in which to detect the new name and move to have the name disabled before it can be used; in effect disrupting the campaign even before it is launched.

Specialist services can scour the major top level domain name registries and provide regular ‘dodgy domain name’ reports. Such reports may of course throw-up legitimate domain names that share parts of your organisation’s name or brand, but these can then be reviewed and discounted while other names are pursued through Domain Name Dispute mechanisms and/or law enforcement agencies to prevent the use of the name for a suspected campaign.

Such ‘dodgy domain name’ searches can also reveal other lower risk domain names that may not be directly related to fraudulent activity, but which may seek to pass themselves off as being related to your organisation or brand. You may then wish to pursue these names/websites as well as part of a longer term strategy to remove domain names and websites that may cause customer confusion as to whether they represent your organisation or not.

As a point of note, usually domain names registered for direct fraudulent use are made with stolen credit card details and so it’s not usually possible to back-track from the registration to the perpetrator.

Continue reading ‘Organisation & Policy Controls’ »