Post: security | Feb 6, 2024

Part one: effective strategies against malicious inbound email: utilizing DNSBLs

For mailbox providers, email security issues can seem endless. Phishing attacks, email spoofing, malware distribution, account breaches, and data privacy infringements are just some of the threats that mailbox providers are faced with. According to research from security software company Trend Micro, approximately 91% of cyberattacks start with malicious phishing emails. 

To protect their users, mailbox providers must proactively implement effective strategies and utilize all available techniques and tools. We’ve partnered with Spamhaus, the trusted authority on IP and domain reputation data for a two-part series to share recommended strategies on how to tackle malicious inbound emails and keep a squeaky-clean network - starting with blocklists.

Reject as much inbound as possible

One of the most effective tools for filtering out unwanted emails from inbound email traffic is Domain Name System Blocklists (DNSBLs), aka blocklists. DNSBLs are datasets that can be queried in real-time by mail servers. Depending on their set up, they can reject or filter emails from IPs or domains observed to be associated with malicious behavior.  

Using DNSBLs has multiple benefits, from reducing infrastructure costs and workforce time spent on remediation efforts, to increasing catch rates. A DNSBL containing timely and accurate data can significantly contribute to a low false positive rate and a high rejection rate of malicious emails. However, to achieve maximum results, they must be used at the right points in the email filtering process.

The challenge is removing 99% of unwanted emails, without losing legitimate emails or impacting email infrastructure performance. For maximum efficiency, there are certain best practices to follow when using DNSBLs to filter the email stream. Let us explain.


Using DNSBLs at the initial email connection

First, using IP-based blocklists at the very beginning of an email transaction is recommended to look up the source IP address attempting to initiate a connection. Where an IP address is listed, it can be dropped immediately, removing the majority of spam before the SMTP connection occurs. Beyond efficient protection, the benefits of implementing this step are many, including reducing costs  with fewer emails to process.

Using DNSBLs at the SMTP connection

Domain-based blocklists can be used after the initial email connection setup, and before the DATA command, during the SMTP connection. Ideally, you need to inspect the:

  1. reverse DNS of the connecting IP;
  2. MAIL FROM domain;
  3. and the domain contained in the HELO. 

In the case of a positive response, the email can be rejected, or marked up for inspection during content filtering. This step reduces the need for unnecessary content scanning, allows for infrastructure capacity to deal with sustained spam campaigns, further reduces the opportunity for users to engage with malicious email, and much more. 

Using DNSBLs for content inspection

IP and domain-based blocklists can be used for detailed inspection of the header and content body. This includes data such as the originating IP address, reply-to address, sender address, domains in the email body, and email attachments. With this final step, combined with the previous two, you will ensure your catch rates are as high as they possibly can be.

How to set up an internal DNSBL

Finally, a company might have business-specific requirements that prevent it from accepting emails from certain entities. For example, it might deem it important to block email from large organizations, otherwise considered “too big to block.” In such cases, an in-house DNSBL that can block specific connections from IPs or domains not included within a DNSBL consumed externally can be a viable option.

Simple implementation

Following best practices and applying blocklists at the right points in the email process can eliminate most unwanted emails, further enhancing DNSBLs as a spam prevention solution. Sounds complicated? Halon has done all the hard work, so users can deploy this protection setup within a few minutes to get immediate real-time protection - learn more here.

Blocklists aren’t the only way to protect a network from incoming email threats. In part two of this series, we will deep dive into further effective strategies that can enable the identification and classification of incoming malicious emails, this time using your own data. Stay tuned on Thursday, 8 February 2024 as Spamhaus shares part two of this series.