I've been with MDaemon Technologies since March, 2007. As Technical Marketing Specialist, I provide a variety of services to educate and inform, including technical and sales training for our global network of partners, public webinars and personal demos for customers, collateral materials such as how-to guides, sales guides and datasheets, marketing and tutorial videos, social marketing (blog, Twitter, Spiceworks, Facebook, YouTube & LinkedIn), and much more.
Most of our customers are small-to-medium businesses with limited IT budgets across a variety of industries – including healthcare, education, manufacturing, and government. Having a limited IT budget often means having limited staff available for troubleshooting email or tracking down messages, so when considering which email gateway/spam filter you want for your business, one of the main criteria to consider is how easy it is to find messages for your users. Users who are expecting business-critical messages need to know ASAP what happened if that message is not delivered. With Security Gateway, it’s easy to find out if a message was rejected, quarantined or delivered. If it was rejected or quarantined, color-coded transcripts make it easy to determine exactly why the message was not delivered.
At-a-Glance: The Message Log Window
Let’s have a look at the message log and its layout.
Use the buttons across the top to:
Refresh the message list
Search for messages. Advanced search options are provided, allowing you to find messages based on a variety of criteria, such as message contents, delivery date, the result of the message delivery attempt, keywords in a message header, and others.
View message details (providing the same information as double-clicking the message)
Redeliver the message. Note that if the issue that made a message undeliverable still exists then the message will return to the message log with the same status.
Whitelist the sender or sender’s domain
Blacklist the sender or sender’s domain
Press the blue buttons to enable or disable specific columns.
The right-facing blue arrows indicate outbound messages, and the left-facing green arrows indicate inbound messages.
The remaining columns from left-to-right include:
Date (notice the arrow indicating sort order)
The message sender (From)
The message recipient
The message subject
The result of the message delivery attempt (Delivered, Quarantined, Rejected, etc.)
The reason the message was quarantined or rejected (for those that meet these criteria)
The message size
The final message score based on the total score accumulated by all security tests performed
Viewing message transcripts to determine a message’s fate
Now that we’re familiar with the layout of the message listing, let’s review how to troubleshoot email delivery issues.
Key events in a message’s transcript are color-coded for easy identification. In the following example, the message was scanned by SpamAssassin. During this process, it accumulated 1.7 points. It was then scanned by Outbreak Protection, during which it accumulated an additional 5.5 points. Finally, the total message score was tallied with a final score of 12.2 points and was rejected.
We’ve created the following video to help you become more familiar with message tracking in Security Gateway.
This week, we released MDaemon 19, with new features that benefit administrators and end users. The following is a summary of key improvements. You can view the complete list of updates in the MDaemon release notes.
New Features for Administrators
One of the first things administrators will notice is that the behavior of the “Start MDaemon” Start menu shortcut has changed. When clicked, you’ll now be taken to MDaemon Remote Administration via your browser. If you’d like to launch the MDaemon console directly, you can use the “Open MDaemon Configuration Session” shortcut, as shown here:
Enhanced Integration with Third-Party Plugins
MDaemon’s XML-API has been expanded to include additional capabilities. Folders and their contents can be created, deleted, renamed, and moved using the API. Developers can use these expanded features to display or manipulate the content of user mailboxes.
“External Message” Warning
A new “External Sender” Content Filter condition has been added, along with a new “Add a warning to the top of the message” action. This allows administrators to create a rule that will add a custom warning to the top of all email messages originating from external sources – providing extra protection against phishing attempts by alerting users to treat these messages with extra care.
Support for Separate SSL Certificates for Each Host/Domain
MDaemon supports TLS Server Name Indication (SNI). This allows domains and host names to have their own assigned SSL/TLS certificate, rather than having to share a single certificate.
New Authentication Failure & Frozen Account Reports
MDaemon’s Dynamic Screening feature includes the option to send authentication failure and frozen account reports to end users. When a given number of authentication failures has been reached, or when an account has been frozen, the user is notified so that corrective action can be taken.
New Features for End Users
Webmail – “All Unread” and “All Flagged” Saved Searches
When logging in for the first time, MDaemon Webmail users will receive a prompt asking if they would like to create an “All Unread” and “All Flagged” saved search for convenient, one-click access to unread or important messages.
Webmail – Expired Session Indicator
MDaemon Webmail will display (EXPIRED) on the browser tab when a user’s session has expired. This allows users who have multiple browser tabs open to be notified when they have been logged out without having to switch tabs.
Other Improvements Include:
Autodiscover support has been expanded to accommodate a wider variety of connecting clients (including eM Client, Thunderbird, Outlook, and others). The service can also now be configured to pass a custom host name to the connecting client on a per-service basis (for example: administrators can configure ActiveSync to connect to activesync.domain.com and IMAP to connect to imap.domain.com, etc.).
The option “Only send antivirus update notification on failure” is now enabled by default, and when updating to MDaemon 19, it will be enabled the first time MDaemon starts up.
MDaemon Remote Administration New Features:
Added license management options to the Registration page.
Added AntiVirus Updater and Scheduler dialog
Added queue counts, process message counts, other process counts, session statistics, and more process states to the Status page.
The MDaemon AntiVirus configuration screen has been updated. Both antivirus engines (Cyren and ClamAV) can now be configured from a single screen.
When ActiveSync is disabled for a domain, administrators will receive a pop-up asking if they would like to revoke ActiveSync access for users of the selected domain. This makes it easier to revoke access and reduces the usage of ActiveSync licenses.
The STARTTLS White List now takes precedence over the STARTTLS Required List and the “SMTP server requires STARTTLS on MSA port” option.
New options have been added to Security | Spam Filter | Spam Honeypots and Security | Security Settings | Screening | SMTP Screen to enable/disable the Dynamic Screening notification when an IP is blocked.
Don’t Risk Losing your Life Savings to Scammers. Follow these 10 Tips to Identify a Phishing Email.
Whether you run a Fortune-500 organization or a small boutique, by now you should be aware of the threats posed by cyber criminals to trick you into clicking a link, downloading an attachment, or parting ways with your money.
Modern day email scams are getting more sophisticated, leading to staggering losses for businesses of all sizes. According to the 2018 Verizon Data Breach Investigations Report, phishing was used in 93% of all reported breaches, with email being the main attack vector in 96% of reported cases.
While these figures are staggering, they continue to rise as scammers reap huge payouts from BEC (Business Email Compromise), CEO fraud and other phishing scams.
The real estate industry is a prime target for phishing because large sums of money change hands and there are various weak links in the transaction process. If any step within the transaction process becomes compromised with a successful phishing email, the attacker could gain access to a legitimate email address from which to launch other attacks. The fraudster could then lie in wait, scanning email messages for financial or transaction related details, and then send off fraudulent wire transfer instructions to an unsuspecting buyer, seller, or agent. For example, this happened to a 31 year-old first-time home buyer in San Antonio, Texas. You can read details about this case here, but the short version of the story is that she felt that she was in a time crunch to send in her down payment and finalize other closing tasks, and felt that the title company was dragging its feet. This state of high anxiety made her a prime target for a phishing email she received stating that she had previously been given the wrong wire transfer information, and that she needed to wire her down payment to a new account. With 5 hours left to get everything done, she attempted to contact her title company to confirm the change, but no one responded, so in a panic, she hastily ran to the bank and wire transferred her $52,000 down payment. Unfortunately, she sent her life savings to scammers.
The phishing industry is so lucrative for scammers because the barriers to entry are low relative to potential huge payouts. With botnets-for-hire and Malware as a Service (Maas), spammers have an impressive arsenal of tools at their disposal to propagate their campaigns, so to fight this scourge, an educated user is the best defense against phishing scams. With this in mind, here are my top 10 tips on how to identify and protect yourself from phishing attacks.
Watch out for messages disguised as something expected, like a shipment or payment notification. These often contain links to malware sites. Hover your mouse over any links to make sure they’re safe. Think before you click! Here’s an example using a phishing email I received claiming to come from HSBC.
Watch for messages asking for personal information such as account numbers, Social Security numbers, and other personal information. Legitimate companies will never ask for this over email.
Beware of urgent or threatening messages claiming that your account has been suspended and prompting you to click on a link to unlock your account.
Check for poor grammar or spelling errors. While legitimate companies are very strict about emails they send out, Phishing emails often contain poor spelling or grammar.
Hover before you click! Phishing emails often contain links to malware sites. Don’t trust the URL you see! Always hover your mouse over the link to view its real destination. If the link claims to point to a known, reputable site, it’s always safer to manually type the URL into your browser’s address bar.
Check the Greeting – Is the message addressed to a generic recipient, such as “Valued customer” or “Sir/Madam?” If so, be careful & think twice! Legitimate businesses will often use your real first and last name. In our HSBC example, notice the generic greeting.
Check the Signature – In addition to the greeting, phishing emails often leave out important information in the signature. Legitimate businesses will always have accurate contact details in their signature, so if a message’s signature looks incomplete or inaccurate, chances are it’s spam. In our HSBC example, the sender’s name and contact information are missing from the signature.
Don’t download Attachments – With the proliferation of Ransomware as a Service (Raas), spammers have an easy mechanism for distributing malware-laden spam messages to thousands of users. And because the payout for ransomware can be quite high, even one successful ransomware infection could net the spammer large amounts of money. If there’s ANY doubt about the identity of the message sender or the contents of an attachment, play it safe and don’t download the attachment.
Don’t trust the From address – Many phishing emails will have a forged sender address. The From address is displayed in two places. The Envelope From is used by mail servers to generate NDR messages, while the Header From is used by the email client to display information in the From field. Both of these headers can be spoofed. MDaemon Webmail has built-in security features to help users identify spoofed emails. Many mail clients hide the From address, only showing the From name, which can be easily spoofed. In MDaemon Webmail, the From address is always displayed, giving users a clearer view into the source of the email and helping them identify spoofed senders. Using our HSBC example, I’ve highlighted the actual sender.
MDaemon Webmail will also display information in the Security tag to help users identify messages from verified senders, as shown here.
Don’t Enable Macros – And while we’re on the subject of ransomware, another common vector for ransomware infections is through macros in Microsoft Word documents. These documents often arrive in phishing emails claiming to have important content from HR, Finance, or another important department, and to trick the user, they request the user to enable macros. Never trust an email that asks you to enable macros before downloading a Word document.
While anti-spam and anti-malware tools are quite effective at filtering out the majority of scams, there’s really no substitute for good old-fashioned user education. Know the potential costs to your business and don’t become the next victim!
If you’re the MDaemon or SecurityGateway administrator and need help with your security settings to help block as much phishing as possible before it reaches your users, give us a call or drop us an email support request.
“We are excited to bring our many years of email security expertise and management to offer customers and channel partners a new cloud service without the need for them to make expensive hardware and infrastructure investments,” said Kevin Beatty, Vice President of Marketing and Business Development. “By adding this new service, expanding our DLP features and integrating archiving without increasing the cost of the product, we continue to offer customers unmatched value.”
It’s just a fact of life: If there’s email, there will always be spam. Now, how much spam you have to deal with will depend on how good your spam filtering solution is. Here at MDaemon Technologies, we use our own products – MDaemon and Security Gateway, to filter out spam, malware, phishing attempts, and all of the other junk that often floods inboxes of users whose email server or hosted service isn’t as effective.
“If I have a good spam filter, do I REALLY need to know how to recognize phishing scams?”
If an email security company or hosted provider tells you their spam filter will catch 100% of spam, they’re not being completely honest. Most companies say their products catch 99% or 99.5% in their SLA (Service Level Agreement), with a false-positive rate of %.0001 or less. That’s reasonable and to be expected, especially considering the statistics.
According to public data, spam made up over 71% of global email traffic in April, 2014. As of September, 2018, spam volume had decreased to 54%, but considering that over 281 billion email messages are sent per day worldwide, that’s still over 151 billion spam messages sent every day, and while spam may be decreasing in total volume, it’s becoming more dangerous, with cryptojacking overtaking ransomware as the attack vector of choice for cybercriminals, and malware-as-a service turning cybercrime into a commodity for the masses,
So no matter how good an email security product is, there is always that chance that new and emerging (and sometimes tried-and true) social engineering techniques will succeed in tricking the next unsuspecting victim to part ways with his or her company’s bank account details.
And that brings me to the point of today’s post. It bears repeating that companies of all sizes and industries should consider ongoing training with their employees on how to recognize phishing attempts.
In today’s example, the scammer is using a classic BEC (Business Email Compromise) attack to try to get the recipient to open a malicious ISO file.
Because the threat of phishing and Business Email Compromise will continue well into the future, I will revisit this topic regularly throughout the year.
Businesses of all types must maintain records containing personal information about their employees and customers, and executives and clients alike have a mutual interest in protecting that data. But there’s no guarantee that every employee will treat confidential account numbers, Social Security numbers, passport numbers or other personal data with the same amount of care. So how can we prevent this sensitive data from getting into the wrong hands?
We’ll show you how and give you a sneak preview of upcoming new data leak prevention rules in our latest Security Gateway video!
In the early to mid nineties, our founder and CEO Arvel Hathcock recognized the need for a less expensive, easier to manage alternative to Microsoft Exchange Server for small-to-medium businesses. With solid programming skills and an entrepreneurial spirit, he created the MDaemon Email Server and launched Alt-N Technologies.
Through word of mouth among IT professionals and with the help of great channel partners, the popularity of MDaemon spread to customers across the globe. Over the years and in various geographies, the product name became more recognized than Alt-N Technologies. To better leverage the name recognition that had been built over the many years of MDaemon email server popularity, the company was renamed to MDaemon Technologies in January of 2018.
Helping the World Communicate
From the introduction of Webmail in 1997 and instant messaging in 2001, to support for third-party XMPP chat clients in 2016, MDaemon has helped improved communication for businesses in over 90 countries.
Focused on Security
Alongside these communication features came enhancements in security. IP Shielding, which is used to help prevent spoofing by blocking messages from unauthorized IP addresses, was introduced in 1996 before MDaemon even had version numbers (for some great historical information, check out the Ancient-History.txt file located inside the MDaemon/Docs directory). Relay control was added the following year, with many new security features added with each new release. In 2005, MDaemon became the first Windows-based email server to offer DKIM (Domainkeys Identified Mail) as a new tool in the fight against spoofing. And to address the growing need to protect confidential data and meet growing regulations in health care, finance, and other industries, email encryption with OpenPGP was added in 2015.
Sharing & Collaboration
MDaemon’s collaboration tools have evolved over the years as well. Instant messaging was added in 2001, followed by shared calendars and groupware in 2002 and 2003. Scheduling meetings with multiple attendees was made easier by the addition of free/busy in 2006.
As business communication needs evolve, so does MDaemon, with new features on the way for 2019. If you’d like to be among the first to benefit, follow us on twitter for the latest news & product updates.
As we continue to bring awareness to these threats, new ones emerge almost daily. In the past three months, a cyber-espionage group known as Seedworm (aka MuddyWater) has used spear-phishing attacks to infect 131 individuals with the Powermuddy backdoor (a new variant of their Powermud backdoor). Once a system has been compromised, this malware runs a tool that steals passwords from a user’s browser and email, often leading to access to the victim’s email and social media accounts.
Protect Yourself from the Latest Threats
Over the years, I’ve posted many times about phishing, spear-phishing, and other threats, with a variety of suggestions for protecting yourself and your business from becoming the next victim. Throughout these posts (from oldest to newest), you’ll find lots of tips to avoid being tricked by these email-borne scams.
As the threat landscape continues to evolve, businesses of all sizes must maintain awareness of the latest email-borne threats and educate staff at all levels, from entry level to C-suite. After all, without the right tools and procedures in place, it only takes one misguided mouse click to damage a business’ reputation or send it into bankruptcy.
In part one of our three-part series on Business Email Compromise (BEC), I explained what a BEC attack is and provided examples and statistics. As you’ll recall from the examples discussed, businesses have suffered staggering losses to these attacks, and while users are becoming more aware of them, their own human nature dictates that these threats will continue. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.
In part two, I discussed the following 4 steps cybercriminals take to conduct a BEC attack.
Identify the target victim
Exchange of information
Businesses can make Step 1 more difficult by carefully crafting and monitoring online content such as company websites, LinkedIn profiles and other publicly available information, but as long as employees can be influenced by excessive trust, intimidation, or simply lack of awareness, businesses will need to implement additional preventive measures to avoid potentially devastating losses. After all, once a credible target has been identified, the best defense is a well-informed workforce.
Top 10 Business Email Compromise Protection Tips
Train Users to recognize these Common Impersonation Tactics used by Cybercriminals
Domain Name Spoofing – Domain name spoofing involves either spoofing the sender’s “Mail From” to match the recipient’s domain in the message envelope, or using a legitimate domain in the “Mail From” value but using a spoofed “Reply-To” domain in the message header.
Here is an example that has been spoofed to look like it was sent from HSBC Bank:
A quick examination of the message headers reveals a return-path address that is not associated with the From address. A reply to this message would go to firstname.lastname@example.org.
Display Name Spoofing – Most BEC attacks use this technique. With display name spoofing, the attacker will register a free email account that may contain the name of a company executive. The attacker would then configure the display name to match your CEO or some other executive, and then send phishing messages from this account. This technique works because recipients often only look at the display name and not the actual email address. In fact, many email clients (particularly on mobile devices) will only show the display name when viewing the message, making it easier to hide the sender’s real identity. Because the sender’s email address is not forged, messages using this spoofing technique are often more difficult to block than those using domain name spoofing, where the addition of three DNS records (DKIM, SPF and DMARC) have been shown to be more effective at blocking spoofed emails.
Here is an example showing a spoofed display name of HSBC Bank. To help users identify suspect emails, MDaemon Webmail has a handy security feature that displays the actual sender address as well as the display name.
Lookalike Domain Spoofing – Lookalike domain name spoofing involves registering fake domains that contain characters that look similar to others and sending phishing emails from them in an attempt to trick the recipient into thinking the message is from a legitimate domain. An example would be using an upper-case I in place of a lower-case L.
Compromised Email Account – Another common tactic is the use of legitimate email accounts that have been compromised through malware or social engineering to steal data or funds.
Secure your domain
Register domain names similar to yours to protect against lookalike domain spoofing.
Don’t over-share on social media
Be careful what you post on social media, especially job titles and responsibilities, corporate structure information, and out-of-office details.
Use SPF, DKIM and DMARC
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) are anti-spoofing and email authentication techniques that use DNS records to validate the sender of an email. Make sure your domain has valid SPF, DKIM and DMARC records, and make sure your mail server/provider is analyzing all inbound email traffic using these tools. For more information, refer to this blog post.
Use two-factor authentication
With two-factor authentication, users must provide two forms of authentication – a password and another form of verification such as a unique verification code or a fingerprint. Two-factor authentication is discussed further in this blog post.
Use strong password policies
Use strong passwords and require regular password changes. Strong passwords must meet the following criteria:
Must meet a minimum length requirement.
Must contain both letters and numbers.
Must contain both upper and lower case letters.
May not contain the account mailbox or full name data.
Never use commonly guessed passwords such as Password1 or Letmein.
Don’t trust unknown sources
Never open emails, click on links, or download files from unknown senders. To help users verify the identity of a message sender, MDaemon Webmail displays the full email header in addition to the display name.
Establish strict processes for wire transfers
You may recall from my previous post that cybercriminals have been known to target all parties in a real estate transaction. If you receive a request to change the payment type or the original recipient’s financial information, be sure to verify the information through already-established channels of communication.
Before responding to wire transfer requests, verify the identity of approved vendors and the authenticity of their invoices. Confirm in person or by phone using previously known numbers. Don’t trust the phone number on the invoice.
Provide regular end-user training
User education must be reinforced on a regular basis for stronger awareness. Every employee who uses email should know how to recognize a spoofed email or a phishing attempt.
Run antivirus software often
Make sure your antivirus software is up-to-date and run it regularly.
While traditional security measures such as network defenses and email gateways can be effective at blocking most varieties of spam, the bottom line is that user awareness and education are critical to avoid falling victim to BEC attacks.
This week, we continue our series on Business Email Compromise. Click here to read Part 1, which includes an overview and various statistics on this growing threat.
It takes time and effort to launch a successful Business Email Compromise (BEC) attack. In a typical attack, several messages are exchanged in an attempt to convince the target to authorize large payments to the attacker’s bank account. From start to finish, the steps involved in a BEC attack consist of identifying a target, grooming, exchanging information, and finally, transfer of funds.
Let’s go over these four steps in detail.
Step 1 – Identify the Target Victim
The first step in a BEC attack may be the most time-consuming. During this step, a criminal organization researches the victim to develop an accurate profile of the company. Through publicly available information, attackers look for the names and positions of company executives, especially those on the finance team. They scour social media, online articles, and anything else that will provide specific details about the company and its employees. Scammers who are able to infiltrate a company’s network with malware may spend weeks or months monitoring information on the company’s vendors, billing and payment systems, and employee vacation schedules. They have also been known to monitor the executive’s writing style in order to craft a convincing email using a spoofed email address or lookalike domain claiming to come from the CEO.
Step 2 – Grooming
Armed with the information obtained in Step 1, the scammer moves on to Step 2. During this step, the scammer uses spear-phishing, phone calls or other social engineering tactics to target employees with access to company finances. The grooming phase often takes several days of back and forth communication in order to build up trust. During this phase, the scammer may impersonate the CEO or another company executive and use his or her authority to pressure the employee to act quickly.
Here is an example sent to one of our Finance executives in which the sender used display name spoofing to spoof the name of our CEO. Cybercriminals will often use a free email address (notice the comcast.net domain), which can be easy to miss if you’re using a mobile device or some other client that doesn’t display the full email header.
Step 3 – Exchange of Information
During step 3, the victim is convinced that he is conducting a legitimate business transaction, and is then provided with wire transfer instructions.
Step 4 – Payment
And finally, funds are transferred and deposited into a bank account controlled by the criminal organization.
What to Do if You Are a Victim
If you’ve suffered losses due to Business Email Compromise schemes, it is important to act quickly.
Contact your financial institution immediately.
Request your financial institution contact the institution that received the fraudulent funds.
Contact your local FBI office and report the incident.