June 26, 2020

Due to the large number of requests being received by Doctor Web's technical support service that are related to hackers’ email-penetration activities, we’ve decided to recall the rules that help users avoid such incidents. And also to remind users about the features of Dr.Web products that protect mail servers.

Dr.Web and email protection: Back to basics

When analysing requests coming into Doctor Web's technical support service in recent months, we see a surprising picture. In the incident analysis results, messages, as if carbon-copied, keep describing incidents whose details are the same:

• ...unauthorised sign-in as a result of one of the account passwords getting cracked;
• ...after signing in, a cybercriminal runs an encrypted script via the RDP protocol;
• ...according to the latest report, there is a server with address in your network with a suspicious network activity;
• ...the Dr.Web anti-virus was installed... on the server... after encryption occurred.

Companies lose their data, face downtimes, and waste time and money on re-establishing their infrastructure but perceive what’s happened as a disappointing accident, without making changes to their information security system. We have often encountered cases of infection in the same companies for this reason.

Our technical support specialists respond with the same written recommendations to almost every request, and they are repeated in refrain in Anti-virus Times issues—but we get the impression that we’re the only ones reading them.

Meanwhile, strictly following simple rules helps avoid the vast majority of security incidents. Let's repeat these rules in a news format.

• Email should be filtered on the server

  A company’s employees may work both in the office and at home, including on their own devices. Even if a user disables their anti-virus or works without anti-virus protection, they must not receive emails from cybercriminals. Because an email can contain a link to a malicious website, a malicious attachment, or instructions that are allegedly from the company CEO, directing the transfer of money to a scam account.

  Email messages should be checked on the mail server.

  This will prevent employees from receiving fraudulent emails.

• It's not necessary to filter the email of all employees

  Managers at various levels and CEOs face the biggest risk of opening malicious or fraudulent email—because it's part of their job to read all emails (messages about claims and fines, directions from upper management, invitations to collaborate). Up to 40% of a company’s employees open all emails. Even if the company has recently conducted training on the topic of cybersecurity.

  When it comes to anti-virus protection, no one should be exempt—no employees should receive emails sent by cybercriminals.

  Email messages should be checked on the mail server.

• Each email should be scanned

  It is impossible to protect yourself from receiving emails from cybercriminals using only mail server settings (for example, SPF technology, DKIM technology, etc.) if your partner's server is compromised. Cybercriminals can send emails from trusted but compromised mail servers.

  Emails should be filtered on the basis of an analysis of the message contents.

How can companies ensure compliance with these rules at the least cost?

By migrating to Dr.Web Mail Security Suite for UNIX—because this is the best-in-class anti-virus and anti-spam email filtering solution.

1. Dr.Web uses rules to analyse email messages and identify signs that are typical of malicious mailings. One rule can cut off all the mailings being sent by a single spammer.
2. The Dr.Web anti-virus detects not only known malicious programs but also malware that hasn't yet been analysed by the anti-virus laboratory—this is the traditional advantage of Dr.Web.
3. Dr.Web Anti-spam is updated every hour, but in general, daily updates are enough—the system of rules according to which it operates, even with rare updates, prevents its effectiveness from being decreased.
4. Dr.Web protects email on almost all known mail servers and works on almost all Linux, FreeBSD and Solaris OSs.
5. This solution can be installed as a mail gateway to ensure the isolation of an internal server and maximum filtration quality.
6. Migration to a new server does not cause interruptions in a company's business processes and does not require that time be spent on replacing a license.
7. Dr.Web can be used both in a small company and a multi-level corporation, ensuring work in clusters, the use of external databases and a local cloud, the flexible expansion of features, and integration with external products.
8. Dr.Web Mail Security Suite for UNIX can be integrated with monitoring systems.
9. The system administrator can choose how to manage security: via the web interface, the centralised corporate anti-virus protection system, or even by directly editing configuration files.

Dr.Web Mail Security Suite for UNIX:

1. can be installed both using a universal installation package and from the repository;
2. detects malicious attachments, potentially dangerous resource links, and signs of spam and phishing in email messages;
3. if necessary, provides for the organisation of a distributed data scan;
4. uses the latest technologies and Dr.Web Cloud rules to detect threats that are so new, they haven't yet been analysed by the Doctor Web anti-virus laboratory;
5. the flexibility of the Lua language, used in customised event handlers, and the large volume of information available from the processing procedure allows administrators to undertake not only typical message scans for spam and search for nested threats or malicious URLs but also implement the verification of arbitrary conditions together with the generation of the verdicts required to process email messages scanned by the email server;
6. uses blacklists and whitelists, data from DNSBL servers and DKIM technology to filter messages;
7. filters messages by checking message bodies and headers, using regular expressions set by the administrator;
8. not only customises actions for different categories of spam but also filters email messages according to their contents;
9. modifies a filtered message if the signs set in the application's rules are detected;
10. can be used if a company uses a mail cluster or has backup servers in case of failure. This does not affect the license cost—we protect according to the number of users;
11. can operate as a transparent proxy or a proxy that checks traffic to transfer it to a specified mail server;
12. protects the objects of the operating system on which Dr.Web is installed.

#email #spam #phishing #Dr.Web