Safer Internet Day: How Mailjet helps

Barrier 1: Sender Policy Framework (SPF)

SPF allows the owner of a domain to restrict sending of valid emails by specifying a list of valid IPs. He does this by adding a TXT record to his domain, which is kind of a meta information everyone can see. The content of this TXT record is a list of IPs which can be used to send valid emails. Each time a mail server receives an email from this domain, it will look up this TXT record and check whether the IP from where the email comes from, is included in the list of valid IPs. If this is not the case, the email can be marked as a phishing or spam attempt.

Since the emails sent by the phishing mafia claim to come from xyz.com but have an IP address not included in the SPF list, the email gets filtered out and no harm is done.

One week later, the phishing mafia learned about SPF and told its developers to change the sender IP address so that it matches an address included in the SPF filter.

Again, they missed something. Every Mailjet customer gets plug and play DKIM.

Barrier 2: Domain Keys Identified Mail (DKIM)

DKIM allows a domain owner to use the power of asymmetrical encryption to prevent misuse by phishers and spammers. Asymmetrical encryption means that one generates a pair of keys, one of which is public and the other is private. The private key has to be kept away from the public and is used to generate a specific electronic signature for each email.

This signature is basically a string of characters in which information about the content of the email is encrypted.

The public key is added as a TXT record to the domain. Now, each time a mail is sent, it gets a signature. When an email server receives one of these emails, it checks the domain records for the public key entry. The public key tells whether the signature was made by his brother, the secret key, or not. If it wasn't the email can be considered a phishing or spam attempt.

Barrier 3: Email Pattern Filters

Having failed twice, the only hope for the phishing mafia is to get access to the XYZ web server. Hopefully our friends from the Server Security Industry made a good job, but for sake of a good example lets say the mafia succeeds and now has full access to the XYZ web site, at least for the crucial first 12 hours because this is where most of the money is made by the phishing mafia. The mafia now can send emails and neither SPF nor DKIM cause alarm because both the IP addresses and the signature are correct. But this also means that emails are now sent via Mailjet's SMTP Relay.

Even so, the phishing mafia's emails are still passed through Big Data algorithms like Bayesian Inference. Their purpose is to recognize frequency and content patterns in real time. Most likely will the phishing mafia send a different amount of emails than XYZ Corporation used to do. The content of the emails will differ as well. If these patterns diverge by a certain amount, an alarm is caused and emails are put on queue until the issue is resolved. This gives XYZ Corporation enough time to detect the attack and take measures.

Invisible actions for the end user are undertaken every day, so that he can enjoy an always safer Internet. Mailjet brings its own contribution to the task.

[ Posted Tue, 11 Feb 2014 11:06:28 ]