Category Archives: Blacklists

Recent Spikes on UCE PROTECT Level 3

Recently, we noticed an increase of in the number of ASNs (full blocks of IP addresses owned by individual Internet Providers) listed by UCEPROTECT on their Level 3, aka Draconic, blacklist. The purpose of this particular UCEPROTECT blacklist is to block ASNs that allow spam to be sent from a large number of IP addresses in the network, often these are ASNs setup for spam or providers that do not adequately police their customers. However, this includes many popular services so many legitimate businesses have also been affected.

MxToolbox Stance

  1. We provide Blacklist lookups for information purposes only. DO NOT make decisions exclusively based upon a listing on the Blacklists we check. MxToolbox is not blocking you, the Inbox Provider is blocking your email because your IP address or domain is listed on a blacklist that they are using to make email delivery decisions. We give you the opportunity to see who is listing your IP address and do not endorse any blacklist. Feel free to ignore a blacklist if you think it is not relevant.
  2. NEVER PAY to be delisted. Legitimate blacklists, including UCEPROTECT, have free ways to be delisted. In this case, the entire ASN should be automatically delisted when the UCEPROTECT SPAMSCORE for that ASN drops below a certain level in a 7 day moving average. You can learn more about how UCEPROTECT lists ASNs here.
  3. MxToolbox regularly reevaluates the list of blacklists we check. Our criteria requires the blacklist to be used to make email delivery decisions. We have noted that some companies are dropping UCEPROTECT from their decision criteria due to the recent activity. We will watch this issue but will also continue to show UCEPROTECT listings as long as they are being used for email delivery decisions.

What you can do if you are blacklisted

We know that being on a blacklist is affecting your business. Be patient! Blacklists are not out there to attack your legitimate email, they are there to protect everyone from spam and phishing attempts. They make money by being relevant to email delivery decisions and sometimes they get over zealous.

Take the opportunity to evaluate your email sending configuration, blacklists are not the only reason your email is failing to make the inbox.

  • Are you still hosting your own email? This could be an opportunity to investigate Inbox Providers that have improved spam filtering and email sending capabilities. It is easier to have all of your email blocked by a blacklisting event if you are sending from a single IP address or small block.
  • Are you using multiple 3rd party email providers? You should evaluate their performance and make sure each of them is in your SPF record and no one else.
  • Adopt DMARC. DMARC compliant email is now a requirement to get into the inbox at Google, Yahoo! and Outlook.com/Office365. If much of your email is non-compliant, you may be blocked entirely. Adopt DMARC to get information on your outbound email to become DMARC compliant or be left behind by your competitors who are.
  • Use a DMARC delivery tool. Inbox Providers give you information on your email senders, including spammers pretending to be you. You need a tool that can aggregate and analyze your email delivery posture using DMARC to improve your email configuration and block the spammers. MxToolbox Delivery Center was designed to make email delivery simpler by highlighting improvements to your email deliverability.

Is Email Secure?

Yes and No. Email is a highly valuable tool that has evolved to be more secure, but there are still ways to exploit email for nefarious purposes. Email users should be careful with how they use email and the emails they respond to. Let’s look at email security in more detail.

A Little History

Electronic mail originated on the early experimental Arpanet, the precursor to the Internet. At that point, all the interconnected servers were within high-security facilities. Since the security was on the outside, researchers did not consider protocol security; everything was sent in clear text – HTTP for browsing documents, FTP for sharing data files, and SMTP for electronic communications. When the Arpanet opened up to universities and then to businesses and private users, those same protocols were still transmitting data and passwords in clear text. Unfortunately, clear text communications are susceptible to man-in-the-middle attacks – corrupted computers or routers between the two computers in communication.

The early Internet was not secure, so new technologies were developed to improve security:

  • HTTPS to secure online transactions involving credit cards
  • SFTP to secure file transfers (now replace by HTTPS in many cases)
  • TLS to encrypt email communications between email servers

With the adoption of TLS, Transport Layer Security, email was secured from potential man-in-the-middle attacks. However, there are other ways to exploit email.

Alternate Technologies

There were other technologies that attempted to “secure” email communications, all had various degrees of success, but none of them have really gone mainstream.

  • PGP, or Pretty Good Privacy, used a Public-Private encryption key system to encrypt and decrypt email. Email was completely secure in transit, and from administrators, but unfortunately, PGP was bulky to use. TLS solved the problem of securing communication between servers without the user needing to do anything.
  • “Secure” Email Servers are web servers where communication could be secured behind a password protected web login. It was not really email but a way to communicate in an email-like fashion. You often see these secure communications websites with Legal and Medical professions, but they suffer from bulky interfaces and the inconvenience of going somewhere other than your normal email applications to view the communication.
  • Sender Verification Services respond to an unsolicited email with an email demanding the sender verify their identity. The goal here is to reduce the potential for spam and phishing attempts by creating a hurdle for senders to jump. The inbox provider then only passes on “verified” email to the user. This technique essentially removes any automated email, including newsletters, as marketing teams are unable to monitor the verification email. The downside is that a legitimate sender may not register so you miss important email.

The Threat of Spam and Phishing

Email is the #1 preferred method for perpetrating online scams. The marginal cost of sending an email is negligible and the rewards for a successful scam can be thousands or millions of dollars. According to Cisco, approximately 84% of all email is spam, much of which is phishing scams and much also escaping spam filters. By that measure, email is not “secure”.

“Securing” Email

Improving email security is not a single technology or vendor but involves changing business processes, adopting new standards and continuously adapting to the ever-evolving landscape of email scams. Some recommendations:

  • Stop hosting your own email – Inbox providers like Gmail, Office365, Yahoo!, etc. have dedicated teams to managing and blocking spam and phishing. Most businesses would benefit by leveraging these external experts and outsourcing email inbox services.
  • Turn on 2-factor authentication – Securing email communication, both sending and receiving, means securing access to email accounts. 2-Factor Authentication helps make email more secure.
  • Invest in Spam and Phishing Awareness Training – Email scams exploit human weakness through social engineering to gain access to your email, bank accounts and secure data. Training your team to recognize these scams will improve your email security.
  • Leverage DMARC and supporting technologies – SPF, DKIM, DMARC and BIMI work hand-in-hand to 1) declare who can send email on behalf of a domain, 2) digitally sign email from that domain, 3) report compliance to the sending domain, and 4) apply a corporate logo to compliant email. When a domain leverages these technologies, it is secured against being used in spam and phishing attempts and gives the recipients peace-of-mind that the email is genuine.

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

On-Premise Email Security Best Practices

If your company strategy requires on-premise email management, then there are some best practices you can adopt:

  • Use Inbound Email filtering gateways – Out of the box inbound filtering either software or hardware will block most threats using threat detection algorithms. Basic gateways block blacklisted senders. More advanced options allow you to write your own acceptance policies.
  • Create Advanced Acceptance Policies – Your business is unique. Threats come in many forms. Maybe you want to filter all incoming image files or executables or maybe eliminate objectionable terms associated with risks. Sophisticated algorithms might help protect your business.
  • Accept only DMARC compliant email – One great idea that Google has pioneered is prioritizing DMARC compliant email. If you do the same, you dramatically reduce the potential for fraud and phishing emails making it to your users.
  • Setup Outbound Email filters – You do not want to become a source of spam, so setting up filters to control outbound email will reduce the risk of being blacklisted or of sending spam emails within your network.
  • Setup Advanced Outbound Policies – Advanced policies could include forcing the legal team to encrypt all outbound email or prevent emailing large files, executables, etc. Leveraging advanced policies will help make using email more secure.
  • Setup DMARC for all outbound email sources – Adopting DMARC for all your outbound email sources will help you protect your sending reputation and reduce the risk of your domain names being used in spam.
  • Invest in Spam and Phishing Awareness Training – As mentioned above, when employees are trained to recognize spam and phishing attempts, they are less likely to click on dubious links in spam and phishing attempts or click on and install malware.

While email was not initially designed with security in mind, new technologies are improving the security posture of email. Adopting these as they arise makes your business more secure and protects your users, clients and partners.

Inbox Provider Insider Junk Scams

Inbox Providers work hard to stop email fraud and phishing scams from outside. Google, Yahoo! and Office365.com all utilize a mix of algorithms that include Blacklists, SPF, DKIM and DMARC compliance, Spam scoring and Relevance scoring to make inbox placement decisions. However, scammers have found an interesting loophole, by sending the spam from the Inbox Providers servers.

How does an Insider Scam work?

The trick to sending spammy email from within an Inbox Provider’s network is first to compromise an existing email box on the provider’s servers. This can be surprisingly easy! Google, Yahoo! and Office365.com have Millions of users. Corrupt one email box and a spammer can easily send email to every user on every domain that uses the Inbox Provider’s network. For example:

  • An email from a corrupted Gmail account never leaves the Gmail network when sent to Gmail Inboxes so the email may skip other Gmail spam safeguards like content scanning and Junk/Spam folder analysis.
  • An email sent from a Gmail account passes Blacklist, SPF, DKIM and DMARC for every domain using Gmail to send email, including emails sent outside the Gmail network, giving these emails a level of trust. A corrupted Gmail account therefore has the clout of Gmail behind it.

Inbox Providers have traditionally looked at Spam and Phishing as an external threat. With the transition of email from on-premise to cloud-based solutions, internal threats with compromised accounts will force Inbox Providers to change and adopt Internal Spam and Phishing analysis algorithms.

What can you do to protect your users?

You email users need to be aware that incoming email cannot be 100% trusted, even when using a reputable Inbox Provider. Invest in Fraud and Phishing training for your staff will raise awareness and help break some of the apathy with regard to security. Read up on more ways to recognize and combat Fraud and Phishing in our previous blog entry.

What can you do to protect your outbound email?

If you are not monitoring the quality of your outbound email, you are at risk for accidentally sending Fraud and Phishing emails from your Inbox Provider and other email sources. Every business should be monitoring Blacklisting, and SPF, DKIM and DMARC compliance from all email sources. With DMARC reporting, you receive feedback on how much of your email is passing SPF, DKIM and DMARC compliance to know how likely your email will make it to the Inbox of your recipients. MxToolbox Delivery Center provides all the information you need on email from your domain.

However, DMARC reporting and Strict DMARC policies will not prevent an Inbox Provider Insider attack using your domain name. For that, you need to use another feature of MxToolbox Delivery Center, Feedback Loops. Feedback Loops provide direct feedback from email recipients at different Inbox Providers on how each recipient views the email they received from you – Did it look like Spam, Phishing or Unsolicited Email? Did they unsubscribe?

Soon, Inbox Providers will implement algorithms to protect their users, scammers will find new ways to exploit your users and your domain for their own gain. In the meantime, beware the Inbox Provider Insider scams.

The State of Government Email Delivery

Recently the CDC found itself in the awkward position of advising the public on email fraud and phishing.  The reason: COVID contact tracing efforts have been thwarted by fraudulent email from professional phishing groups.  Email phishing and email delivery are a systemic problem for governments and businesses alike.

As more federal, state and local agencies move online they generate more email to their constituents and users. Whether you are receiving confirmation on your recent driver’s license renewal or setting up a meeting about property taxes, ensuring the email reaches your inbox is a major concern.  Unfortunately, the majority of American governmental agencies are poorly positioned to deliver email.

Blacklisting

Inbox providers use blacklists to filter incoming email.  Email from IP addresses of a blacklist or containing Domain names on blacklists will be blocked or thrown into the Spam or Junk folders.  

Unfortunately, on average 3.3% of government domains are blacklisted, meaning that their email is in jeopardy of being blocked.  

AgencyBlacklist %
City3.8%
County3.8%
Federal Agency – Executive1.1%
Federal Agency – Judicial0.0%
Federal Agency – Legislative4.4%
State3.3%

City, County and State governments represent the majority of government domains and the highest percentage of blacklisted agencies, excluding the Legislative branch of the Federal government.  This puts email correspondence with these smaller agencies in jeopardy.

SPF

SPF is a technology that allows a domain to designate a list of IP addresses or domains as legitimate senders on behalf of that domain.  For example, your company could use MailChimps or SalesForce to send email to marketing and sales customers.  SPF allows you to designate those two companies as valid senders and only these domains.  Anyone else trying to send email using your domain would fail the SPF checks that inbox providers run on incoming email.  A failed SPF check means that the email may be blocked or dumped to the Spam or Junk folders.

Agency Type% SPF
City72.7%
County70.1%
Federal Agency – Executive93.9%
Federal Agency – Judicial73.9%
Federal Agency – Legislative22.8%
State40.1%

MxToolbox’s survey clearly shows that State and Legislative Agencies are failing to adequately use SPF to protect their email delivery.  While City and County agencies fare slightly better, SPF adoption is required to get email to the inbox.  Without SPF, anyone can attempt to send email that appears to come from a government agency, creating the potential for fraud and phishing using that agency’s domain name.  

The lone bright spot in our survey is the Executive Branch of Federal government.  The nearly 94% adoption of SPF reflects the Department of Homeland Security’s requirement to fully adopt DMARC by October of 2018 (SPF is a key component of DMARC).  While some departments are behind, the DHS directive has definitely been successful. All US agencies need to make adopting SPF, and DMARC a priority to improve email delivery and protect their recipients from fraud and phishing using government domains. 

DMARC

DMARC is a standard that allows a domain owner to do several things:

  • Assign email addresses to be used for feedback from inbox providers regarding SPF, DKIM and DMARC compliance.
  • Assign email addresses to be used for forensic samples of emails that fail SPF, DKIM or DMARC compliance.
  • Set a Policy for how Inbox Providers should handle email from the domain that fails SPF, DKIM or DMARC compliance.  Policy options are:
    • None – Do nothing
    • Quarantine – Set the email aside in a Quarantine type folder.  Sometimes this is a Spam or Junk folder, sometimes this gets placed in a Quarantine spot the administrator can examine.
    • Reject – Dump the email to trash. A reject policy is required by the Department of Homeland Security and to use the BIMI image standard.
  • Specify a % of email to obey the Policy.  The rest will be treated as in a None policy.
Policy as a % of DMARC % ofDomains
Agency Type% DMARCNoneQuarantineRejectReject
City13.1%56.6%24.5%13.8%1.8%
County20.7%52.8%25.8%19.7%4.1%
Federal Agency – Executive90.4%2.8%1.4%93.6%84.6%
Federal Agency – Judicial17.4%50.0%25.0%25.0%4.3%
Federal Agency – Legislative13.2%40.0%13.3%46.7%6.1%
State12.0%57.4%14.0%24.0%2.9%

The Executive Branch with 90% DMARC adoption is well out in the lead, again owing to Department of Homeland Security requirements.  Unfortunately, all other agencies are dangerously behind, risking their email deliverability.  In our recent case studies, we found that improving DMARC compliance can dramatically improve email open rates and click through rates.  If government agencies want to connect with constituents, they need to adopt DMARC as soon as possible.

Fraud and Phishing Protection

Ultimately, to protect your recipients from Fraud and Phishing using your domain, you need to adopt a strict Reject DMARC policy.  A Reject policy tells the inbox provider to completely reject email that does not pass SPF, DKIM and DMARC checks.  Unless they gain access to your servers or the servers of your legitimate senders, fraudsters’ emails will be blocked by a DMARC Reject policy.  While getting to a DMARC Reject policy requires careful management and attention to prevent legitimate email from being blocked, the benefit of protecting your email, your brand and your customers outweighs the complexity and cost.   

Taken as a whole, Government agencies are woefully inadequate in their support for DMARC reject policies and guarding their email from fraud and phishing.  Particularly troubling are the state, county and city governments with low single digit support.  Government agencies need to be a trusted source of information.  Unfortunately, with their current DMARC configurations, the domains of government agencies are at tremendous risk of being used in fraud and phishing attacks.

How can you or governments adopt DMARC?

Any domain owner must adopt SPF and DMARC immediately.  When adopting DMARC, it pays to invest in an email delivery management platform that can help you analyze your email senders, manage the quality of your senders and help you obtain a DMARC Reject policy that does not limit legitimate email. Without analyzing the SPF, DKIM and DMARC compliance of your email, both legitimate and fraudulent, you will not be able to protect your email deliverability.  

MxToolbox Delivery Center

To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

Blacklisted? Get DMARC

Blacklisting is the oldest form of spam protection.  Inbox Providers keep a list of IP addresses and domains that recently sent spam and block them from the inbox.   Blacklisting eventually evolved to include 3rd parties maintaining and selling blacklists derived from spam traps, honey pots, and lists gathered from multiple inbox providers.  As an email sender, being blacklisted is a sign that you are not adequately managing your email delivery posture.  But, blacklisting is not the only way Inbox Providers protect their users from spam.  Increasingly, Inbox Providers are using technologies like SPF, DKIM and DMARC to make inbox delivery decisions.

DMARC Helps Prevent Blacklisting

Your IP addresses and Domain can be blacklisted for many reasons:

  • Spam appears to be coming from your IP addresses or Domain
  • Sending too much email from a single IP address
  • Sending email from an IP address that also sends spam
  • Email recipients marking too much email from your Domain as spam
  • Improper Forwarding
  • Domain included in Fraud and Phishing emails
  • Using spammy wording in your email content

With the right DMARC setup, you can almost completely block spammers from spoofing your domain, or using it in spam, fraud and phishing emails.  Adopting DMARC would then eliminate three reasons why your Domain could be blacklisted, dramatically improving your email delivery posture and helping you get your business message to your intended audience.

DMARC Might be More Important than Blacklisting

Blacklisting was once the first line of defense.  Now, Inbox Providers are increasingly using more complex algorithms to determine the quality of the email they deliver to inboxes.  These algorithms weigh content, blacklisting, DMARC and other factors to determine placement in the Inbox, Junk/Bulk/Spam Folder or simply dump the email entirely.  In the new algorithms, DMARC configuration might weigh more heavily than Blacklisting.  

Since DMARC depends upon two other technologies, SPF and DKIM, DMARC setup requires more time and attention to setup.  This means your team cares about email delivery management and is more active in the management process.  Inbox providers like Gmail, Yahoo! and Outlook.com have begun to prioritize DMARC compliant email.

Blacklists are simple and fallible.  A legitimate email can put a company on a blacklist if it falls into a honey pot or gets reported as spam by enough email recipients.   In addition, many companies use 3rd party emailers with large IP address blocks.  These mass emailers rotate through the IP addresses when sending email for all their clients.  Not only could your email be sent from the same IP address as many other businesses, but that IP address could be blacklisted because of the other companies’ content.   Inbox Providers know the limitations to blacklisting and the benefits of DMARC and their proprietary algorithms reflect this, making DMARC adoption a business requirement.  Even if you are blacklisted, DMARC can help you reach the inbox.

How does DMARC work?

Adopting DMARC gives you the ability to do three important things:

  1. Get feedback on how much of your email is passing SPF, DKIM and DMARC checks
  2. Get forensic examples of failed emails
  3. Set a policy for how Inbox Providers handle email that fails DMARC checks

Feedback on email allows you to identify SPF and DKIM configuration issues with legitimate senders, improve these configurations and identify illegitimate senders which may be fraud or phishing threats.  Once you have corrected your configuration issues for legitimate email senders, you can change your DMARC policy to instruct Inbox Providers to Reject email that fails SPF, DKIM and DMARC checks.  DMARC Reject policies give Inbox Providers comfort that you are actively managing your outbound email.

MxToolbox Delivery Center

To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.

Email Deliverability in the Travel Industry

Traveling is one of the most enjoyable experiences a person can have and is a widely popular leisure activity.  Travel is also a risky endeavor, requiring careful planning and sometimes last minute itinerary changes especially in business travel.  Lodging and airfare are typically the most expensive pieces of the budget, so you want partners you can depend upon to inform you of confirmations and itinerary changes in a timely manner.  But, can you trust the emails that come from these airline partners?

DMARC Creates Trusted Senders

DMARC is a requirement for trusted email communication.  An email from a sender with DMARC properly configured to a strict “Reject” policy can be trusted.  Without a “reject” policy, a sending company could easily be spoofed by a fraudster and have that email accepted by inbox providers.  Adopting DMARC protects the email recipient and the corporate brand.

DMARC Adoption in the Airline Industry

Trusting email correspondence from your airline is an important part of enjoying your travel experience.  If an airline domain can be easily compromised by fraudsters, your travel plans are at risk.  Unfortunately, email hygiene and DMARC adoption rates are low among airlines.

MxToolbox’s September 2020 study uncovered the following concerns about airlines ability to deliver emails to their travellers:

  • 8% of airlines sending IP addresses are blacklisted, meaning that email from these domains could be blocked from your email entirely.  Good luck getting that flight update.
  • Only 40% of airline domains have adopted DMARC.  Email delivery from the other 60% of airline domains is at high risk for fraud and phishing and may be more likely to end up in the Junk folder than the Inbox.
  • Only 14% of airlines are using Strict DMARC policies (7% Reject, 7% Quarantine).  The remaining companies are at high risk of being used for fraud and phishing.
  • Only 1 Airline has deployed BIMI to display their logo in the recipients inbox. BIMI gives an extra level of assurance that the sender is legitimate and reinforces the corporate brand.

Protecting Your Brand with DMARC

To maintain the highest levels of email deliverability, businesses like yours (and these airlines) need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the on-going maintenance necessary to maintain peak performance:

  • Leverage our unique Adaptive Blacklist Monitoring to manage the email reputation of all your senders.
  • Manage SPF, DKIM and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.

The End of a Blacklist – BSB

On Friday the 17th of April, the blacklists BSB and BSB Domain shutdown.  When a blacklist goes offline, it typically returns a positive blacklisting event for every IP address or Domain inquiry.  This is standard but can be a bit alarming for users.

What that means for you?

All of our Monitoring and Delivery Center customers suddenly had a notification of blacklisting on BSB or BSB Domain.  This is normal.  MxToolbox has removed BSB and BSB Domain from the list of blacklists we check.  All notifications that we previously sent of blacklisting by BSB and BSB Domain can be ignored safely.  If BSB and BSB Domain return to action, then we will evaluate adding them back into the list of blacklists we search.

The Importance of Email Delivery Management

Blacklisting is not the only reason why your email may be denied or tossed into a Spam or Junk folder.  Blacklist monitoring is the beginning of good email delivery management.  In addition to monitoring your email for blacklisting, you need to:

  • Monitor your DMARC, SPF and DKIM configurations for compliance with industry standards
  • Regularly monitor the blacklist reputations of all your senders; not just your own IP addresses, but every CRM, Marketing Automation, Order Management, Support Ticketing and other sending system.
  • Actively monitor and manage the DMARC compliance rates for your legitimate senders, eliminating non-compliant senders if needed.
  • Monitor DMARC compliance rates for Fraud and Phishing attacks using your brands

MxToolbox Delivery Center provides you with the capability to manage your Email Deliverability, reducing the chance that your email will be dumped to spam or junk.  Check out Delivery Centertoday, or Contact Sales for a Walkthrough of Delivery Center Managed Services.

 

A Little Blacklist History

History of Blacklists

Blacklist – in the context of technology, a list of items, such as usernames or IP addresses, that are denied access to a certain system protocol. When a blacklist is used for security purposes or access control, all entities are allowed access, minus those actually listed in the blacklist. Moreover, an email blacklist is a real-time database that utilizes criteria to determine if an IP is sending email it considers to be spam. There are many operable blacklists, and each has a unique way of accepting inbound mail and determining if messages are considered spam. Needless to say, blacklists directly impact the deliverability of your company’s emails.

Note: A Whitelist or whitelisting is NOT the opposite of a blacklist.  A whitelist is a connection or group of IP addresses that will always be accepted, typically bypassing many other security controls.  Do not ask for someone to whitelist you.

The first Domain Name System-based Blackhole List (DNSBL) was the Real-time Blackhole List (RBL) created in 1997 as a Border Gateway Protocol (BGP) list. Interestingly, the initial version of the RBL was not published using DNS, but rather a list of networks transmitted via BGP to routers owned by subscribers so that network operators could drop all TCP/IP traffic for machines used to send spam/host spam supporting services, such as a website. The term “blackhole list” is often interchanged with “blacklist” and “blocklist.”

Overview of Blacklists

Generally speaking, a DNSBL or RBL is an effort to stop email spamming. It is a blacklist of locations on the Internet believed to actively send email spam. The locations consist of IP addresses, which are typically  linked to spamming. Most mail server software can be configured to reject or flag messages that have been sent from a site listed on one or more of these lists.

Furthermore, a DNSBL is a software mechanism, rather than a specific list or policy. There are many DNSBLs in existence, which use a wide array of criteria for listing and delisting addresses. For example:

  • The IP addresses of zombie computers or other machines being used to send spam (some RBLs specialize in spam in different languages)
  • Internet service providers (ISPs) who willingly host spammers, or those which have sent spam to a honeypot system.
  • List of the IP addresses of email systems that openly relay mail (which could be used by spammers)
  • List of dynamic IP addresses at ISPs
  • List of domain names typically used in spam emails.

In order to operate a DNSBL three things are needed: a domain to host it under, a nameserver for that domain, and a list of addresses to publish.

In addition, based on data received about your IP address, there are three places for your email to end up. If your company is on a blacklist, outbound messages could end up in spam or not delivered. If in good standing, your business emails will be then go through secondary processing by the inbox provider.  Most will be delivered and show up in the inbox as intended. Most blacklist services set up their own specific methods, algorithms and honeypots and have websites that detail the reasons for listing along with delisting options.  Delisting may be requested or may be automatic in some cases (keep reading).  Note: Some less savory blacklists require a payment for delisting; Mxtoolbox does not approve of this type of business model.

What Is an IP or Domain Blacklist Problem?

Most businesses learn that their IP address is blacklisted when a customer reports missing an important email.  After multiple reports, someone usually contacts IT who looks into the problem.  Without proper monitoring of your blacklist status, your business could be at risk.

MxToolbox to the Rescue

An early innovator in addressing blacklist issues, MxToolbox built started with a free online Blacklist Check tool to help email admins, marketers, and business owners monitor their sending reputation. Since then, we have focused on email delivery solutions, introducing the most comprehensive Blacklist Monitoring service on the Internet and, now, providing DMARC-based email deliver solutions.

The Future of Blacklist Monitoring

MxToolbox believes in continually delivering innovative tools and services to help our customers who face an ever changing email world.  Recently, we released Adaptive Blacklist Monitoring, expanding the frontier of blacklist monitoring beyond traditional blacklist monitoring for businesses to answer the following questions:

  1. How do you maintain lists of all internal and external sender’s IP addresses?
  2. How do you update IP addresses being monitored when they change?
  3. How do you monitor cloud email services sending from large pools of IPs?

MxToolbox Adaptive Blacklist Monitoring leverages new technologies like SPF and DMARC to monitor your blacklist status and email deliverability across all of your senders: internal, external and cloud-based.

Automatic Monitoring

MxToolbox automatically detects all your Outbound IP addresses that you actively send email from and monitors them for blacklistings.  Add a new 3rd party sender? MxToolbox automatically monitors those new IP addresses as well. With this solution you no longer need to maintain IP lists and update monitoring.

Sender/Cloud Email Reputation

Send email through Office 365 or GSuite, etc.? MxToolbox detects the IP addresses those services are actively using to send your messages and if they are blacklisted. You can even view your sender’s reputation via MxRep to gauge how well their services are functioning.

 

Email on the Cloud: Does it solve your deliveryability issues?

What is “the Cloud”?

“The Cloud” is simply a term for using data storage, email, infrastructure, or applications as a service without the need for installing software and maintaining servers in your own data centers.  Cloud-based services were made possible by cheap RAM, multi-cored processors and the easy availability of network bandwidth.

What is Cloud-based email?

Cloud-based email has been around since the early days of the Internet, where individual users could sign up for a Yahoo!, Hotmail or Gmail email account.  Now, cloud-based email is associated with the same providers: Google G Suite Business and Office365/Outlook.com.  The difference is that businesses, not consumers, migrate email processing for their domains from traditional on-premise email servers to these online service providers.  This improves accessibility to email since employees only need an Internet connection to retrieve email (not a VPN to firewall-protected corporate servers) and reduces overhead costs for the company, while also improving email security, because a large team is now dedicated to the topic.  One of the many selling points of cloud-based email is that it automatically improves your domain’s email deliverability.  However, this is not entirely true.  With cloud-based email set to double in size in the next few years1, managing email deliverability is now even more important.

Email Deliverability with the Cloud

While inbox providers, like Google and Microsoft, dominate cloud-based email, many other cloud services send email from their own servers, for example: CRMs, Marketing Automation, Email Campaign Management, Support systems, ERPs and Order Management/Fulfillment systems.  Managing all of these different vendors requires careful thought, information and leveraging email deliverability standards like SPF, DKIM and DMARC.  Email deliverability does not automatically improve by migrating to the cloud, but the cloud can help.

DMARC Is Essential

Regardless of what email services you use, adopting DMARC is the single most important step you can take to improving email deliverability.  DMARC leverages two important standards, SPF and DKIM, to enable you to delegate legitimate sources of email and cryptographically sign your messages so that recipients know the email is from your domain.  When properly implemented and monitored, DMARC helps businesses by:

  • Improving Email Delivery – Sending email that is DMARC compliant can improve email delivery to your customers because inbox providers prioritize properly compliant emails.
  • Increasing Email Visibility – Imagine getting feedback on the compliance of your email from recipients?  DMARC enables email inbox provider to report on ALL outbound messages sent “from” your company and any third-party providers utilized (Sendgrid, Marketo, etc.)
  • Identifying Delivery Problems – Gives your business insight into providers and email sources that have email authentication issues with SPF and DKIM that affect email delivery.
  • Preventing Spoofing/Phishing Attacks – Once properly implemented, DMARC can prevent fraudsters from targeting your customers using your domain reputation.

Even with DMARC, SPF and DKIM implemented you need to continuously monitor the feedback you receive from your email recipients’ inbox providers and act on the data.  DMARC reports can be confusing to interpret and they also do not contain information about blacklisting, the most fundamental email hygiene issue.

Adaptive Blacklist: A New Ally

Email delivery is still dependent upon the blacklist status of the sending IP address.  Email from an IP address that is blacklisted will typically be blocked even before DMARC compliance checks are made.  After you have outsourced email distribution to 3rd parties, how do you keep track of their blacklist status?  How do you know these providers are performing?

You need blacklist monitoring for your senders.  MxToolbox has developed a revolutionary approach to check blacklist status of 3rd party vendors – Adaptive Blacklist Monitoring.  MxToolbox’s Adaptive Blacklist Monitoring leverages DMARC reports to understand what IP addresses your 3rd party vendors are using to send your email and then constantly analyzes the blacklist status of your sending IPs.  Adaptive Blacklist monitoring even adapts to the addition of new providers and reports on email threats. With MxToolbox, you get expert insight into your DMARC compliance combined with unique Adaptive Blacklist Monitoring.  No other DMARC delivery solution does the same.

What is Whale Phishing?

The number and type of malicious online attacks seems to be increasing daily.  Whaling/Whale Phishing is another in a long line of scams, this time leveraging and targeting senior executives.  The term “whaling” was coined because of the magnitude of the targets and attacks relative to those of typical phishing ploys.

What Is Whaling Phishing?

A whaling attack, also referred to as whaling phishing, is a specific form of phishing attack that explicitly targets high-profile employees—CEOs, CFOs, or other executives (known as whales)—in order to steal sensitive information from a company.  Executives/Whales can be either the target recipient or the spoofed origin of the phishing emails.  Whales are carefully chosen due to their overall authority and access to secure company information. The goal of a whaling attack is to con the executive or employee into exposing corporate credentials, customer information or sending money via wire transfer.

How Do Whaling Attacks Work?

Whaling attacks work on the trust of executives and employees.  When spammers impersonate an executive, an employee is unlikely to look deeper into the origin of the email and simply comply with the request.  When spammers target an executive as the victim, the goal is to get access to the power of that executive: credentials, authorization of funds, even confidential information that only the executive can access.

Whaling attack emails and websites are highly customized and personalized, and they often incorporate the target’s name, job title, or other relevant information collected from a variety of sources.  Due to this level of personalization and their highly targeted nature, whaling attacks are usually more difficult to detect than standard phishing attacks. Whaling phishing attacks rely on the same social engineering methods that traditional phishing uses, but in this highly targeted approach.  Attackers will send hyperlinks or attachments to infect their victims with malware or to solicit sensitive information. By targeting high-value victims, fraudsters might also persuade them to approve fraudulent wire transfers using business email compromise techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out damaging financial transfers.

Examples of Whaling Attacks

Perhaps the most notable whaling phishing attack occurred in 2016 when a high-ranking Snapchat employee received an email from a fraudster impersonating the company’s CEO. The employee was duped into giving the attacker confidential employee payroll information. The FBI subsequently investigated the attack.1

Another newsworthy whaling scam from 2016 involved a Seagate employee who unknowingly emailed the income tax data of several current and former company employees to an unauthorized third party. After reporting the phishing scam to the IRS and FBI, it was announced that thousands of peoples’ personal data was exposed in that whaling attack.2

How do you protect yourself?

Whaling phishing uses the same entry methods as traditional phishing methods: email, malware infected links and attachments, believable email addresses and well-replicated branding and logos.  To protect yourself from whaling, you need to be vigilant with every email and mindful of the financial or privacy implications of any response, even to your CEO.  We recommend improving both your information security awareness training and internal policies regarding financial and privacy data handling.  For example, add a corporate policy to require verbal authorizations in addition to the original email for financial or privacy transactions.   Many companies operate at break-neck speed, to protect your business, you often need to slow down and think through the implications of acting upon every emails.

As a corporate inbox provider, keeping up your incoming spam and malware filtering will help reduce the flow of potentially dangerous email, but it cannot prevent it.  Setting up your inbound email services so that they provide DMARC reports on email received to the original senders.  This information is invaluable to combating incoming spam and phishing attempts.  Also, ensure your that your inbound email services support senders restrictive DMARC policies (Quarantine or Reject) and process non-DMARC compliant email appropriately.  Rejecting email that is not DMARC compliant will greatly reduce the amount of spam and phishing attempts that arrive in your inboxes.

How do you protect your brand from being used in Whaling?

The trust your partners, vendors, and customers place in your email is directly related to the value of your email and the amount of spam, malware and phishing attacks that appear to come from your domain.  You cannot prevent fraudsters from creating spam and impersonating your domain, but, you can stop the spam and phishing from affecting your reputation.  To shutdown phishing that appears to come from your domain, you need to adopt DMARC for your outbound email and manage your DMARC compliance rate for outbound email.  Once your legitimate email is compatible, you can start instructing inbox providers to quarantine or reject non-compliant email.  At that point, the majority of non-compliant email should be spam and phishing attempts using your brand.  Managing your email is not a set it and forget it strategy, but an on-going process that requires regular monitoring and update.

MxToolbox’s Delivery Center

MxToolbox Delivery Center provides you with everything you need to setup, monitor and manage your DMARC compliance.  Email deliverability requires constant monitoring and tuning and MxToolbox has over 10 years experience working with companies large and small to improve email delivery.  Delivery Center gives you insight into Who is sending email on behalf of your domain, How Much of your email is DMARC compliant, Where email threats are coming from, How to improve your email configuration and When to make your DMARC policies more restrictive to prevent phishing using your domain.

https://www.scmagazineuk.com/snapchat-whaled-employee-payroll-released/article/1478171

2 https://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/