Zimbra Collaboration Suite and Anti-Phishing

Let’s get back to dealing with security and especially email security, going to address a delicate and extremely important topic like Phishing and see what measures can be taken in Zimbra to respond to this type of threat.

Phishing

Phishing is a cybercrime where the victim is contacted via email, phone or text message by someone posing as a legitimate institution. The user is lured by these messages and asked to provide sensitive data such as, for example, personally identifiable information, bank and credit card details, and passwords. The information collected is then used to gain access to important accounts and lead to identity theft and damage of various kinds, not least of which is financial.

An easy-to-solve problem?

One might consider the problem to be easily solved. In fact, it would be enough to explain the basics of security to a company’s users, how to spot suspicious email or web addresses even if they may seem trustworthy on the surface. Similarly, how to evaluate email attachments coming from such addresses. But this procedure, easy only on paper, is not even remotely a guarantee of success, if only because very often an employee of a company has neither the time nor the attention to examine in detail the mails and the attachments they contain. At this point, it becomes crucial for the IT department to identify the correct software solution to the problem, to provide the right protection and prevent attacks.

Zimbra Solution

A first solution to the problem, within Zimbra Collaboration Suite, is provided by the bundle of Amavis, SpamAssassin and ClamAV, which is responsible for filtering incoming mail in Zimbra. This solution allows you to cut off most of the incoming phishing and spam emails at the entrance, but it doesn’t guarantee full protection against a phishing threat. A more drastic solution, such as setting up a rule for DKIM, can come to the rescue.

DKIM

We can set up a rule in DKIM according to which all emails sent from a domain other than the declared one would simply not reach the address (or addresses). This is done by editing the file /opt/zimbra/conf/opendkim.conf.in, where it is enough to write the following lines:

On-NoSignature reject
Mode sv


After that, you just need to restart OpenDKIM using the zmopendkimctl restart command for the changes to take effect. 

Using this method, however, has some drawbacks, because it causes the mail server to reject any mail that does not have a DKIM signature, which is not exactly optimal.

Best Practices

We’ve seen some possible solutions, but each has advantages and disadvantages.  In addition, typically, there are many different ways to attack. A common example is an attack in the form of a new invoice apparently sent from a trusted email address. This fake invoice, once opened, is able to propagate the attack throughout the company. Therefore, it is important to set up an effective plan to defend against potential attacks, using all the tools available in Zimbra, as described in the ” Zimbra Best Practices: Incoming Mail Protection ” article.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enterprise Security black, white and gray lists
How to install and update Let's encrypt for Zimbra