Inbox Providers work hard to stop email fraud and phishing scams from outside. Google, Yahoo! and Office365.com all utilize a mix of algorithms that include Blacklists, SPF, DKIM and DMARC compliance, Spam scoring and Relevance scoring to make inbox placement decisions. However, scammers have found an interesting loophole, by sending the spam from the Inbox Providers servers.

How does an Insider Scam work?

The trick to sending spammy email from within an Inbox Provider’s network is first to compromise an existing email box on the provider’s servers. This can be surprisingly easy! Google, Yahoo! and Office365.com have Millions of users. Corrupt one email box and a spammer can easily send email to every user on every domain that uses the Inbox Provider’s network. For example:

• An email from a corrupted Gmail account never leaves the Gmail network when sent to Gmail Inboxes so the email may skip other Gmail spam safeguards like content scanning and Junk/Spam folder analysis.
• An email sent from a Gmail account passes Blacklist, SPF, DKIM and DMARC for every domain using Gmail to send email, including emails sent outside the Gmail network, giving these emails a level of trust. A corrupted Gmail account therefore has the clout of Gmail behind it.

Inbox Providers have traditionally looked at Spam and Phishing as an external threat. With the transition of email from on-premise to cloud-based solutions, internal threats with compromised accounts will force Inbox Providers to change and adopt Internal Spam and Phishing analysis algorithms.

What can you do to protect your users?

You email users need to be aware that incoming email cannot be 100% trusted, even when using a reputable Inbox Provider. Invest in Fraud and Phishing training for your staff will raise awareness and help break some of the apathy with regard to security. Read up on more ways to recognize and combat Fraud and Phishing in our previous blog entry.

What can you do to protect your outbound email?

If you are not monitoring the quality of your outbound email, you are at risk for accidentally sending Fraud and Phishing emails from your Inbox Provider and other email sources. Every business should be monitoring Blacklisting, and SPF, DKIM and DMARC compliance from all email sources. With DMARC reporting, you receive feedback on how much of your email is passing SPF, DKIM and DMARC compliance to know how likely your email will make it to the Inbox of your recipients. MxToolbox Delivery Center provides all the information you need on email from your domain.

However, DMARC reporting and Strict DMARC policies will not prevent an Inbox Provider Insider attack using your domain name. For that, you need to use another feature of MxToolbox Delivery Center, Feedback Loops. Feedback Loops provide direct feedback from email recipients at different Inbox Providers on how each recipient views the email they received from you – Did it look like Spam, Phishing or Unsolicited Email? Did they unsubscribe?

Soon, Inbox Providers will implement algorithms to protect their users, scammers will find new ways to exploit your users and your domain for their own gain. In the meantime, beware the Inbox Provider Insider scams.