Domain Name Whitelisting Allows Spam to Pass Undetected
Security company Network Box, which recently conducted a study, reveals that organizations generally whitelist their individual domain names which make spam hard to spot, as spammers can make their messages appear legitimate with whitelisting.
Describing a whitelist, security specialists stated that it is a catalogue of domain names or e-mail addresses from which e-mail spam filter would allow inbound e-mails to pass through. This program helps to stop unsolicited e-mails/spam from arriving in users' inboxes.
Meanwhile, the practice of whitelisting personal domains is common among organizations that prevent legitimate e-mail from being handled as junk or spam. However, in December 2008, Network Box began to observe a surge in spam messages that forged the e-mail ID of the recipient, or pretended to be a message from a colleague. These e-mails apparently contained links connecting to IM services inviting the recipient to chat.
Further, according to the study, almost 20% of the total spam mimic the recipient's domain name, up from merely 1% in June 2008.
Commenting on the problem, Internet security analyst Simon Heron at Network Box said that until the latter part of 2008, domain name mimicking was not a great problem. But now it has grown to a rate of 20%, which is pretty high, as reported by SCMagazine on February 16, 2009. Heron suggested that organizations using whitelisting should remove personal domain names from the list and consider alternative methods to prevent false positives.
To remain guarded from the problem, Network Box suggested one solution is using SPF (Sender Policy Framework), a method that uses a space within the DNS record to specify all the Internet Protocol addresses from where a legitimate e-mail would arrive.
Therefore, if a person in London receives an e-mail from a colleague in Singapore, the mail server of the recipient would verify if the IP address from which it gets the e-mail belongs to the sender's SPF record. This confirms that the message is not a spoofed e-mail and thus it gets delivered, Network Box explained.
Related article: Domain Kiting and Typosquatting – New Dangers of Malware
» SPAMfighter News - 26-02-2009