Email Security's Paradigm Shift: Inbound Mail

Garrett Poorbaugh
September 1, 2022
Last Updated
September 1, 2022 1:27 AM

Users Inside Deserve Protection, Too

In the last edition of “Email Security’s paradigm shift”, we covered how the authentication methods of SPF, DKIM, and DMARC can help to authenticate business email going to users or clients. We found that these three methods worked exceptionally well to cut down on the possibility of an attacker spoofing our mail, and they allowed us to make sure our voice is the only one delivered when claiming to be from us. However, sending out is not the only challenge facing businesses in the email landscape; we also have to analyze and be protected from what is coming in. This post serves as part two and will dive into methods of detecting malicious intent in incoming email to a business. Paint the picture that your business has perfectly implemented SPF, DKIM, and DMARC. All your mail is valid, and no one is sending on behalf of you. You look into user’s email inboxes, and see a slew of emails claiming the user’s amazon account has a new charge. This email urges them to open the attached statement or view the charge via the amazon link in the email. You start to investigate the email, only to find it is fully authenticated in SPF, DKIM, and DMARC. Justas legitimate people can become compliant in these methods, so can the illegitimate using their own domains. We realize our email security is more than just protecting ourselves from being spoofed; we now need a way to dig deeper on each email and make a determination on its intent to protect our own users.

Internal users are the lifeblood; you cant afford to have them be disillusioned with spam.

Email is Like an Airport Terminal

Thankfully, a solution to help thwart these emails exist, and it goes by the name of Secure Email Gateway, or SEG for short. When we decide to use a SEG, we tell all of our email to flow through this single point for analysis. Think of how boarding a plane pushes everyone through the TSA checkpoint. Using their multitude of detection devices such as x-ray machines, metal detectors, and sniffing dogs, they can analyze large numbers of people and determine if they are carrying potentially dangerous substances, or if they are wanted at a criminal level. For those that have set off alarm bells for potentially meeting this criteria, they are pulled to the side for further questioning. The SEG works in this exact manner with your mail, using its own multitude of special tools including greylisting, impersonation, IP RBL, spam, attachment, and link scanning. When an email is found to be suspicious, it is then held for review and a security analyst can investigate further. In the following sections, we are going to break out what the scanning functions of mainstream SEG’s do and help to understand what they can protect us from.

Your mail goes through a strikingly similair check to TSA when using a SEG.

Impersonation Protection

Impersonating an email domain does not always have to be coming from the exact domain. The term typo squatting tells us that attackers take a email domain that is just barely different from the one they want to appear coming from in order to seem legitimate. Try to tell the difference between these two examples: vs Help@Mí and vs Help@M¡ it may be easy when staring at it, for how quickly emails come in these can often be overlooked by an end user. Impersonation protection identifies the similarity to the well-know domain, and holds the email before being delivered.

Example of manually defined items in Mimecast.


IP RBL stands for IP real-time blackhole list. SEG’s all over the world detect malicious mail, and when a specific sending server is flagged enough times, it falls onto this list to be held immediately. Attackers sending mail from these RBL addresses are more common than might would be expected, and blocking them before doing any more analysis has proven useful.

Example of offending IP on RBL in Mimecast.

Greylist Scanning

Greylisting is a function SEG’s use to ensure the sender is not a robot sending a “fire and forget” spam campaign. We commonly see attackers spin up a temporary email server, send a mass message once, and tear it down to do it all over again without being detected. When we apply grey listing, we make that sending server send another email to us to ensure it still exists. If an attacker was to try this on a SEG, the server would no longer exist after it send the first message, and will not respond, making the email get held for greylisting.

Example of greylisted failed connection attempt in Mimecast.

Spam Scanning

Spam scanning is a huge, overarching term to describe picking out aspects of the email body that have verbiage often used in spam messages. While each tool approaches this differently with their own “flavor” of scanning, the general principal detects the number of keywords words such as “wire”, “immediately”, “pay now”, and so fourth to determine out the likelihood of an email message being sent for illegitimate reasons. Emails urging users to perform an action quickly are chief suspects in this method of detection.  

Example of manual spam scanning definition in Mimecast.

Attachment Scanning

Attachments can very quickly become a problem when sent over email. An email passing all of the prior checks could seem completely legate, and still house a malicious attachment that is waiting to execute on a user’s machine. Scanning these attachments usually comes in two flavors; scanning for the file type to outright block those which we would never allow such as a PowerShell script or executable, and the other being putting the allowed types into a sandbox to execute. The latter works by scanning the contents of, say, a word document at a deep level to determine if there are hidden items stashed within, and in some cases even opening the attachment in a fake machine to observe its behavior. Both methods help identify emails that contain attachments that could harm computers and hold them for further review.

Example of blocked attachment types in Mimecast.

Link Scanning

Lastly, we have link scanning. Through specialized detection, any links in the email are found and ran through a scanner to determine if they lead to suspicious or malicious websites. In addition, businesses often use this to block certain categories of links from being opened from emails. Scanning these links safeguards the user from malicious website, even if they access the email on a computer not behind a firewall.

Example of URL scanning in Mimecast.


We know that protecting our inbound mail is just as important as protecting it going outbound. As we have observed with all of the scanning techniques above, it is a significant challenge to spot these types of attacks through email without a SEG and operating an email environment without one is similair to allowing boarding to a plane without a bag check. By using the specialized features in the SEG, we can help validate and ensure the emails landing in users inboxes are legitimate and non-malicious.

Security Connections to Remember

  • Cutting down on inbound spam is important to protect internal users.
  • A SEG operates like a TSA checkpoint for your email traffic.
  • The SEG employs a multitude of scanning methodologies to identify mail.

Stop Collecting, Start Connecting.

Copyright © 2022 Security Connections. All rights reserved.

Partner of: