Tuesday, April 23, 2024

Content filtering in KSMG 2.1 | Kaspersky official blog

When it comes to spam, we usually think of a bunch of absolutely irrelevant advertising letters, which antispam engines filter out with no trouble at all. However, this is far from the most unpleasant thing that can fall into your mailbox. Sometimes spam is used to carry out a DDoS attack on corporate email addresses, and the victim gets bombarded with completely legitimate emails that don’t raise any suspicion of a standard antispam engine.

Registration confirmations attack

In order to perform a mail bomb attack, attackers can exploit the registration mechanisms on the web resources of totally unrelated companies. Using automation tools, they register on thousands of services from different countries using the victim’s email address. As a result, a huge number of confirmations, links to activate your account, and similar letters end up in your mailbox. Moreover, since they’re sent by legitimate mail servers with a good reputation, the antispam engine considers them legal and doesn’t block them.

Examples of registration confirmation emails

Examples of registration confirmation emails used for DDoS attacks on corporate email addresses

As a target the attackers usually choose an address that’s crucial for the company’s work — something that’s used to communicate with clients or partners; for example, a mailbox of the sales department, technical support, or a bank’s address to which applications for mortgage loans are sent. An attack can last for days, and the plethora of emails  simply overload the victim’s mail server and paralyze the work of the attacked department.

To successfully protect a mailbox from such an attack, a more sophisticated tool is required. As one of the approaches to protection against mail bombs, we propose using the personalized content filtering module built into our updated Kaspersky Secure Mail Gateway In particular, in the above example of an attack through registration mechanisms, the operator can block letters based on the presence of the word “registration” in various languages in the Subject field (Registrace | Registracija | Registration | Registrierung | Regisztr√°ci√≥). As a result, emails will be automatically sent to quarantine without reaching the inbox and overloading the mail server.

Personalized mail filter settings

In Kaspersky Secure Mail Gateway version 2.1 we’ve added the following options for filtering incoming and outgoing mail:

  • by letter size;
  • by attachment types and names;
  • by sender — you can specify a specific sender address or a regular expression;
  • by recipients (including hidden ones);
  • by the presence of certain text in the body of the letter (keywords and regular expressions can be added to the dictionary);
  • by the presence of text in the subject of the letter – by keywords, using masks and regular expressions, indicating specific senders;
  • by X-headers.

 

Flexible filtering of business mailings

The new capabilities of our solution can be used not only to protect against email bombs attacks. They can be used, for example, for flexible configuration of B2B-mailout filtering. Not all employees perceive all kinds of business mailings in the same way: for some it makes sense to delve into offers to purchase electronic components; for others such advertisements just clog up their inboxes, while they consider various invitations to participate in conferences or conduct seminars extremely valuable.

Therefore, completely blocking legitimate business mailouts isn’t an option. But on the other hand, it’s also not worth allowing their uncontrolled delivery: someone will always be dissatisfied. Therefore, Kaspersky Secure Mail Gateway doesn’t categorize such letters as spam, but allows you to configure their flexible filtering by senders, recipients, text in the subject or body of the letter, and so on.

You can learn more about Kaspersky Secure Mail Gateway, part of Kaspersky Security for Mail Servers solution on our corporate website.



from Kaspersky official blog https://ift.tt/iMHzxsm
via IFTTT

No comments:

Post a Comment