Whack a mole: Dealing with Spam/Phishing
-
We seem to have delevoped a really unhealthy practice when dealing with Spam and Phishing emails, and I equate it to playing whack a mole on an ant hill - I mean really.. some random name at Gmail sends a phish email, it's reported and we block that email address. Because we can't block Gmail globally.
We employ TrendMicro HES - Hosted Email Security and it filters a bit as any would and yes captures some that it shouldn't.
It seems that this has become a really bad habit and a poor solution to the over all problem. What is a better way to deal with this?
-
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
It seems that this has become a really bad habit and a poor solution to the over all problem. What is a better way to deal with this?
Awareness training and actual testing is thr best way to handle this. Blocking random Gmail addresses one by one is complete waste of time.
You should be training and testing your employees with your own phishing campaign. Once they get fooled a few times and see their stats being recorded, they will become more cautious.
-
@irj said in Whack a mole: Dealing with Spam/Phishing:
Awareness training and actual testing is thr best way to handle this
We do MONTHly testing - and training during onboarding and as needed (Lunch and Learn)...
-
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@irj said in Whack a mole: Dealing with Spam/Phishing:
Awareness training and actual testing is thr best way to handle this
We do MONTHly testing - and training during onboarding and as needed (Lunch and Learn)...
Do you receive spam from gmail to your public email addresses or to everyone at the organization?
I assume the email are authenticated (SPF, DKIM, DMARC) and delivered by google as well?
-
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@irj said in Whack a mole: Dealing with Spam/Phishing:
Awareness training and actual testing is thr best way to handle this
We do MONTHly testing - and training during onboarding and as needed (Lunch and Learn)...
Do you receive spam from gmail to your public email addresses or to everyone?
They are received to one to several persons - never 'ALL-Staff'.
-
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@irj said in Whack a mole: Dealing with Spam/Phishing:
Awareness training and actual testing is thr best way to handle this
We do MONTHly testing - and training during onboarding and as needed (Lunch and Learn)...
Do you receive spam from gmail to your public email addresses or to everyone?
They are received to one to several persons - never 'ALL-Staff'.
OK, well I guess it's really a question of how effective the spam filtering is and how you have configured it.
Just a couple of minutes ago I got one of those gmail scams but it was classified as spam. It was sent from google's servers so looks legit when it comes to IP reputation, SPF, DKIM, DMARC etc. It's only the content that is suspicious when you read it. No links or anything.
Maybe you should have a look at what settings you have in Trend Micro. Perhaps you can make a rule specifically for gmail.com addresses that have stronger spam/phishing detection.
-
@irj said in Whack a mole: Dealing with Spam/Phishing:
Awareness training and actual testing is thr best way to handle this. Blocking random Gmail addresses one by one is complete waste of time.
The difference compared to whack-a-mole is that in the game the moles will appear at each hole some number of times. With the Gmail spam attack, it's typically one and done. Unlimited possible email addresses to come from (essentially literally) and no expectation of repeating.
The problem is the process... why would someone be reporting spam and why is someone blocking it? That doesn't make sense. Get a good spam filter, configure, train people how to delete, done.
-
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
The problem is the process... why would someone be reporting spam and why is someone blocking it? That doesn't make sense. Get a good spam filter, configure, train people how to delete, done
"But this is the way we (they) have always done it... "
-
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
The problem is the process... why would someone be reporting spam and why is someone blocking it? That doesn't make sense. Get a good spam filter, configure, train people how to delete, done
"But this is the way we (they) have always done it... "
You mean they are "reporting" as in actually reporting it to someone? And not by marking it as spam in the email client?
Yeah, that doesn't make any sense. Far too time consuming.
-
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
The problem is the process... why would someone be reporting spam and why is someone blocking it? That doesn't make sense. Get a good spam filter, configure, train people how to delete, done
"But this is the way we (they) have always done it... "
You mean they are "reporting" as in actually reporting it to someone? And not by marking it as spam in the email client?
Yeah, that doesn't make any sense. Far too time consuming.
Outlook Toolbar.. Reporting
-
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
The problem is the process... why would someone be reporting spam and why is someone blocking it? That doesn't make sense. Get a good spam filter, configure, train people how to delete, done
"But this is the way we (they) have always done it... "
You mean they are "reporting" as in actually reporting it to someone? And not by marking it as spam in the email client?
Yeah, that doesn't make any sense. Far too time consuming.
Outlook Toolbar.. Reporting
OK, but that just ends up sending an alert email to the designated phishing mail contact, which is IT right?
It would have made more sense if those emails had been forwarded to Trend Micro automatically and their adaptive algorithm would have learned how to detect them.
Right now Trend Micro doesn't have a clue what emails their user are classifying as spam or phishing attempts. Because that happens way after the email has passed through their gateway.
-
Right now Trend Micro doesn't have a clue what emails their user are classifying as spam or phishing attempts. Because that happens way after the email has passed through their gateway.
I believe that using the email providers spam and fraud detection has the potential to be better than any external gateway.
Assume that most users also use the providers email app.
In Zoho for example, I believe that when users mark email as spam/fraud, it automatically trains Zoho's detection algorithms. After a while it will have learned how to detect those emails.
I don't think that's possible when the email filtering solution never will get the users feedback.
-
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
I believe that using the email providers spam and fraud detection has the potential to be better than any external gateway.
I am of that opinion as well. And SO much easier. I have no idea why people choose these external, and expensive, and generally flaky, tools. We deal with some of these all the time, and I know Trend Micro specifically is useless crap.
-
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
In Zoho for example, I believe that when users mark email as spam/fraud, it automatically trains Zoho's detection algorithms. After a while it will have learned how to detect those emails.
It does. We use that and it's not the best, but it's good. Certainly worlds better than Trend Micro and SO much cheaper.
-
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
I don't think that's possible when the email filtering solution never will get the users feedback.
It would be plausible, but super convoluted for the end users to do. They'd have to do a submission process. No one will do that.
-
I have my email account set as the catchall for our domain on Zoho so I get absolutely every stupid random spam crap that there could be and surprisingly, it's very little. It's a few a day, and gmail tends to get through the most. but because they send to fake accounts, I know instantly 100% that it is SPAM and mark it as such. Takes almost no effort, it's only a few a day, and does a lot to make our SPAM detection that much better before the team gets hit with it.
-
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
@gjacobse said in Whack a mole: Dealing with Spam/Phishing:
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
The problem is the process... why would someone be reporting spam and why is someone blocking it? That doesn't make sense. Get a good spam filter, configure, train people how to delete, done
"But this is the way we (they) have always done it... "
You mean they are "reporting" as in actually reporting it to someone? And not by marking it as spam in the email client?
Yeah, that doesn't make any sense. Far too time consuming.
Outlook Toolbar.. Reporting
OK, but that just ends up sending an alert email to the designated phishing mail contact, which is IT right?
It would have made more sense if those emails had been forwarded to Trend Micro automatically and their adaptive algorithm would have learned how to detect them.
Right now Trend Micro doesn't have a clue what emails their user are classifying as spam or phishing attempts. Because that happens way after the email has passed through their gateway.
That's interesting.
With Appriver - we forward emails to [email protected] and appriver deals with it. Other than constantly reminding people that's where the report needs to go - I don't really deal with it.
Thought as Scott mentioned - so much spam is a once and done situation - so reporting it is often pointless.
-
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
I believe that using the email providers spam and fraud detection has the potential to be better than any external gateway.
I am of that opinion as well. And SO much easier. I have no idea why people choose these external, and expensive, and generally flaky, tools. We deal with some of these all the time, and I know Trend Micro specifically is useless crap.
I recently tried to get rid of ours - sadly our insurance provider required a third party spam/virus filter that is not our email provider to qualify for the coverage.
No, I wasn't given the chance to tell them to look at other insurance where they don't have dumb rules like that. -
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
@pete-s said in Whack a mole: Dealing with Spam/Phishing:
I don't think that's possible when the email filtering solution never will get the users feedback.
It would be plausible, but super convoluted for the end users to do. They'd have to do a submission process. No one will do that.
My users do.
-
@scottalanmiller said in Whack a mole: Dealing with Spam/Phishing:
I have my email account set as the catchall for our domain on Zoho so I get absolutely every stupid random spam crap that there could be and surprisingly, it's very little. It's a few a day, and gmail tends to get through the most. but because they send to fake accounts, I know instantly 100% that it is SPAM and mark it as such. Takes almost no effort, it's only a few a day, and does a lot to make our SPAM detection that much better before the team gets hit with it.
is there so few because their filter is already catching so much of it? or you're domain just happens to not get much?
