Q We have our hosted setup and we had one very bad experience of an email compromised after sending. It was in between changed/manipulated and sent to the recipient. That resulted in major loss. The originator did not send that content in the email. Will hosting in Mithi Cloud prevent it? How?
What you are describing is called “Email Spoofing”. A user sends a mail but makes it appear as if it was sent by another user. There are various ways “spoofers” achieve this:
To explain the scenarios, lets take an example: Ravi and Smita are colleagues in the same organisation and Ravi sends a mail on behalf of Smita (Ravi has spoofed Smita’s email id)
1. Ravi hacks into Smita’s email box (since she has a weak password and the email system doesn’t have any password security in place e.g. password history, account lockout, password age, etc) and sends a mail on Smita’s behalf. In this scenario the mail has gone from Smita’s account, but she is unaware of it.
From a Mithi solution perspective, the chance of this happening is vastly reduced by applying the following security policies for each account
- Strict Password Policies to ensure complex password, regular password rotation, automatic account lockout on several unsuccessful attempts and always fresh passwords by referring to the password history.
- Access control to define which services the user can access and the trusted network ranges from which the user can access the server.
- Mail Policies to control whereall each user can send mail and under what condition.
- Every mail send request requires authentication by the a valid sender in the network.
2. Ravi impersonates Smita: Ravi connects to the organisation mail server, authenticates using his own account but sends a mail containing Smita’s email id in the “From ID” header. When the recipient gets this mail, it appears to have been sent from Smita’s email id. This is possible with mail servers which have a weak authorisation system.
From a Mithi solution perspective, this can be prevented by applying the following security policies for each account
- Email Spoof Check: This means that if Ravi is authenticating then the mail should also contain ONLY Ravi’s email id in the “From ID” field. If the authentication id and the From ID don’t match, the mail will be rejected.
- Domain Spoof check: This means that if a mail gateway server in the client’s premises has been authorised to send mail via Connect Xf/Mithi SkyConnect, the mail originating from that server must belong only to the listed domains. This prevents the mail gateway server from sending mail from foreign domains (open relay) in case it gets compromised.
3. Ravi impersonates Smita from an external mail system: Ravi sends a mail to the recipient on Smita’s behalf but by using an external mail server or mail sending toolIn this method, Ravi sends a mail using a tool and using the services of an open relay server on the Internet or by creating his own server. He composes the mail and sets Smita’s email address in the mail header (MIME structure).
Modern mail servers and mail landing services, now easily detect this by
- IP reputation of sender. The IP of the server from which the mail originates should belong to the sender’s domain as designated by the Sending organisation in the SPF record in the DNS. Hence, while Ravi will succeed in sending the mail, the recipient server will reject the mail in all likelihood due to bad IP reputation.
In case the recipient mail server doesn’t have strong policies, it may accept the mail and deliver it to the recipient and the mail may appear that it came from Smita. On closer inspection of the mail, it is possible for the recipient to determine that it is a spoof however, but this needs technical expertise of understanding mail headers.
4. In transit modification of mail.Normally mail can sniffed in transit (i.e. the contents can be read) and modified at hop points by mail administrators if they have the privilege. Under normal working conditions these are rare situations. However from a Mithi deployment perspective we ensure that the following practices are followed to bring the chance of this happening to near zero
- SSL/TLS: All access to services happens over secure encrypted layer. This means that all the data flow from client to server and server to server is encrypted over SSL/TLS.
Considering all the above systems deployed by Mithi SkyConnect, there is near zero chance of a spoof mail making it through the network