Cisco Cisco Email Security Appliance X1050 Libro bianco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 3 of 22
The Problem of Forged Email
As noted, this paper looks at forged email arriving from outside an organization. Spoofing where an internal
mailbox is compromised is out of scope for this paper. In this document, alpha.com is the example customer
domain being spoofed.
For an introduction to spoofing refer to:
Briefly described, spoofing attacks include:
1. Envelope From abuse:
Making the domain in the sender’s Mail From value (also referred to as "Envelope
From”) the same as the recipient’s domain. This paper uses the terms “Mail From” and “Envelope From”
interchangeably.
2. From header abuse:
Using a legitimate domain for the sender’s Envelope From value but using a fraudulent
From header.
3. Cousin domain abuse: Sending email from cousin domains that pass Sender Policy Framework (SPF),
DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting, and
Conformance (DMARC) checks. The From value will show a similar sender address that impersonates a real
one (for example, using
4. Free email account abuse: Using free email (Yahoo, Gmail, etc.) that pass SPF, DKIM and DMARC checks.
The From header will show a legitimate sender address with an executive’s
. the variants
are listed in the same order described, along with a legitimate healthcare mailer. Each fraud lists an executive’s
name in the From field. Figure 2 shows the details of an attack similar to the first variant in Figure 1.
Our goal at Cisco is to block any spoofs in these categories but allow legitimate mailers, like the one sending the
healthcare notice, to be delivered. Legitimate mailers are also called “legitimate spoofs” in this white paper.
healthcare notice, to be delivered. Legitimate mailers are also called “legitimate spoofs” in this white paper.
Figure 1. Forged Mail Attacks on Mailbox alan@alpha.com
Envelope From Abuse
From Header Abuse
Cousin Domain Abuse
Free Email Account Abuse
From Header Abuse
Cousin Domain Abuse
Free Email Account Abuse