Page 11 - Ohio Vol 5 No 2
P. 11

MICHAELZINN | E-Discovery Sender Policy Framework
Itisn’t uncommon to be told that someone was expecting to receive an email but never re-
ceived it and when they checked with the person who was going to send the email, the person tells them the email was bounced back, rejected, blocked, or didn’t go through.
In 2003, the United States of America passed the “CONTROLLING THE ASSAULT OF NON- SOLICITED PORNOGRAPHY AND MARKETING” or “CAN-SPAM” Act.  e CAN-SPAM Act is recorded in 15 U.S.C. Chapter 103. One of the things the CAN-SPAM Act was meant to address was companies sending unsolicited commercial email and attempting to hide where the email was from by using fake information in the “from:” line of the email or actually sending an unsolicited commercial email through “electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations shall be considered materially misleading.” (15 U.S.C. § 7704 (a)(1)(A))
Sender Policy Framework (SPF) is a method servers can use to request information about the servers which are authorized to send email for a domain. Let’s consider a  ctitious company named Example Company. Example Company employs two people named Alice and Bob. Example Company’s domain name is example.org. Alice’s email address is [email protected] Bob’s email address is [email protected] Example Company’s email server is named mail.example.org.
Now you want to send Alice an email at [email protected] When you send that email, the system must
ask for the Mail Exchanger (MX) record for example.org.  e Domain Name System (DNS) server responds with the name of the mail server for Example Company.  at tells your system that the email needs to be send to mail.example.org and mail. example.org will deliver the email to Alice’s email address [email protected] org.
Unfortunately, malicious users have been sending Alice a lot of unsolicited commercial emails. When Alice receives the emails tough, they say they are from [email protected] Alice is worried that someone might have hacked Bob’s email account. Alice noti es Example Company’s IT department and they reviewed log  les which show when Bob’s email account was logged into and the public IP address that was used to login to Bob’s email account. Example Company’s IT department was not able to  nd any evidence that Bob’s email account was hacked.
How is that possible?
 e malicious users sent the emails to Alice from an email server they hacked but they con gured the email server to send emails saying they are from Example Company.  is is an example of spoo ng.  ink of it like sending a letter in the mail.  e malicious users are changing the return address to say Bob sent the letter to Alice.
 is is why SPF is important. If Example Company con gured SPF and con gured their spam  lter to perform SPF veri cation for emails which are sent to them, the spam  lter would block the unsolicited emails that say they are from [email protected] example.org. SPF looks at the address the email claims to be from. It goes and asks DNS if example.org has an SPF record. DNS responds and says,
AttorneyAtLawMagazine.com
“Yes, example.org has an SPF record. Example Company permits 127.0.0.1 and 127.0.0.2 to send email from example.org.”
SPF looks at each email that is sent to [email protected] and [email protected] example.org. SPF looks at the emails sent from the malicious users. SPF sees the emails say they were sent from [email protected] SPF looks at the emails to see what the IP address is that send them.  e emails were sent from 127.8.8.140. SPF sees that 127.8.8.140 is not 127.0.0.1 or 127.0.0.2 so the emails fail SPF veri cation and are blocked.  is may seem very technical and it is.  e good news is a knowledgeable IT department should be able to properly con gure SPF for their company in as short as  ve minutes.
SPF has existed since 2006, when it was published by  e Internet Society.  ere are di erent solutions for spoofed emails.  e e orts to automate the identi cation and blocking of spoofed emails are still ongoing. Properly con guring SPF is one best practice. New methods of doing this include arti cial intelligence.
O en malicious actors send fraudulent email which contain malware or a link to malware in an e ort to convince the user to install the malware. While no one security mechanism should be relied on to provide robust security, properly con guring SPF in addition to a spam  lter that conducts SPF veri cation on inbound emails is an extremely important measure
which o en takes a relatively short amount of time to con gure.
Micro Systems Management Company’s Michael Zinn is a recognized digital forensics and cybersecurity expert who holds a number of industry certi cations including certi ed computer examiner (International Society of Fo- rensic Computer Examiners), EC-Council computer hacking forensic investigator, AccessData certi ed examiner, and AccessData mobile examiner. He is an experienced computer security incident response team leader and is available for cybersecurity consultations and cybersecurity training. For more information, visit https://www. msmctech.com/.
11


































































































   9   10   11   12   13