The Spamhaus Project


Part 2 – Effective strategies against inbound malicious email: using your own data

Having looked at best practices for utilizing blocklists in the first part of this series, let’s explore the value of maximizing your own data to protect your network from malicious inbound emails. After all, your email infrastructure contains data that may only occur on your specific network.

by The Spamhaus TeamFebruary 15, 20245 minutes reading time

Jump to

Select a security-focused email infrastructure

Select a security-focused email infrastructure

Having a scalable, modern, and robust email infrastructure that provides all the necessary security and anti-abuse features, to protect against phishing, spam, and malware, is vital. An email infrastructure should enable blocking of connections from servers abused by spammers, emails with malicious URLs, connections from unauthorized countries, and high volumes of emails being sent to a single recipient – as well as providing analysis and scoring. Where email filtering is enabled, filters must be adjustable based on a business’s tolerance for false positives. Realistically, no business wants to allocate resources and people to a problem that doesn’t exist.

Enforce authentication

Alongside content inspection, email authentication checks should run to verify the source of incoming emails. There are two key authentication records mailbox providers should be looking to enforce. Sender Policy Framework (SPF) and Domain-based Message Authentication Reporting and Conformance (DMARC) are both must-have inbound spam defenses for any modern email marketing infrastructure. Other authentication methods can also be deployed, such as DomainKeys Identified Mail (DKIM) and Brand Indicators for Message Identification (BIMI).

The risk here is brand impersonation. Malicious parties may send emails posing as well-known brands, for example, Google. If an organization isn’t enforcing SPF and DMARC, someone could spoof and send to its users, creating a gateway for abuse.

But authentication is only the tip of the iceberg. There are reams of data available to enhance defenses against malicious actors.

Reject misconfigured email servers

It’s important to be mindful of misconfigured email servers. These can be a sign of potential compromise or malicious activity, so it’s important to approach connection requests with caution. It is recommended to reject connections from email servers that are HELOing/rDNS themselves as an IP address, a non-existent domain, or empty text. By doing this, you can help ensure that your email server remains secure and is protected from potential threats.

Define ‘normal’ email traffic

Get to know your ‘as usual’ email traffic. Regularly analyzing email traffic is your ticket to quickly identify good traffic and traffic that should be monitored more closely. With enough analysis, typical traffic becomes predictable and easily recognizable. Consequently, anything outside of ‘normal’ can be identified and highlighted as suspicious. However, exercising caution when enforcing traffic rules is essential to avoid mistakenly blocking legitimate emails. Allowing some room for error can help prevent important messages from being blocked.

Assign reputation to IPs and domains sending to the network

With a deep understanding of normal email traffic, you can assign reputation to IPs and domains sending emails to your network. This can provide a further alert to any unusual activity. Using

Using Historical IP SMTP data

The insights gained from historical data are just as valuable as monitoring real-time data flow. By simply maintaining 30 days (minimum) of historical SMTP data on IPs seen connecting to the network, it is possible to monitor who is sending and rejecting any unwanted connections. For example, an unexpected burst of email could indicate a spam campaign. Using historical data, a rate limit can be applied to newly seen or previously low-volume IP ranges attempting to send large volumes of email to an infrastructure.

Similarly, IP ranges that are sending or checking a large number of unknown users could be an indicator to defer or reject the emails. As we know, spammers often maintain large lists that contain many unknown users or abuse services that attempt to verify addresses. Therefore, an IP address with a higher-than-average rejection rate for unknown users should be investigated. And, more than likely, rejected!

Keep an eye on the inside

But what if bad actors are already inside? The truth is that users can be compromised from within the email infrastructure and send malicious emails internally.

Email within an organization is often subject to less filtering than those at the network level, making it vulnerable to malicious activity. Hence, paying attention to unusual indicators such as employees emailing outside of their usual working hours or communicating with individuals they typically don’t correspond with is essential. Is it normal for Suzie from Customer Success to email the Finance Director at 2 am? It seems unlikely!

By monitoring such activity, security teams can detect potential threats and take appropriate action. This could include rate limiting or suspending the user to deter malicious actors and prevent a severe business email compromise.

Doing something is better than nothing

It’s important to keep in mind that safeguarding a network against inbound malicious emails can be overwhelming, and the strategies shared are just a few recommended practices. While they are aimed at enhancing network security in the long run, it’s not necessary to implement them all at once. Even small steps towards implementing these strategies can help improve your network security.

Remember, security is like an onion with many layers, and diversifying between different tools and techniques will only enhance protection against malicious email threats.

Don’t have the time or resources to analyze your own data? Share basic email connection data (no PII!) with Spamhaus for targeted email protection, like security service provider, Censornet – learn more here.