Email Impersonation Control (EIC) Deployment
Description
Contents
Introduction
The Email Impersonation Control service helps you to guard your organization against CEO scams, business email scams, and spear phishing email messages. The Email Impersonation Control (EIC) service checks all email that is inbound to your organization for domain and username impersonation, commonly known as spoofing. EIC checks the legitimacy of all inbound email that appears to be sent from your organization's domains or users.
The Email Impersonation Control Settings page is accessible in the portal at Dashboard > Services > Email Services > Email Impersonation Control Settings.
NOTE: The focus of EIC is the BODY FROM or 5322.From:, Symantec still recommends to implement Spoofed Sender Detection and implement Symantec's SPF Records to tackle spoofing at the envelope sender or 5321.MailFrom. There's no connection between EIC and SPF in the portal or the scanning process, this means that approving a source in EIC will not cause it to be exempt from SPF or DMARC. To approve a source to bypass SPF and/or DMARC, you need to approve it in Approved Senders list that belongs to Anti-Spam.
EIC Settings
Expand the Default Settings section - focus on Action.
To start, you need to select an action to enable EIC. You can choose to log, tag the subject line, quarantine, redirect to Admin or to block and delete any EIC-flagged email. When you first activate EIC, we recommend that you use either the logging option or the tagging option. Once you are comfortable that the control works as expected, you can then use a stronger action. Currently, the action is shared between Domain and User control. Once you are comfortable that the control works as expected, you can move on to a different action if you prefer.
We'll come back to talk about the approved senders. At the moment, we'll move to select which modes we want to work with, you need to activate these below in Domain Control Settings or User Control Settings respectively.
Expand the Domain Control Settings section.
Once you have enabled Domain Impersonation Control, you can quickly add all of your organization's provisioned domains with the checkbox - "All Provisioned Domains", these will be shown as "YourDomain and sub-domains". Additionally, you can manually enter or paste domains into the Domains to Protect text box. Once you have saved your changes, EIC checks the sender information in inbound emails to protect your specified domains.
Expand the User Control Settings section.
The goal of User Impersonation Control is to protect those individuals in your organization who may have a higher profile or are more likely the targets of business email scams. Once you have enabled user impersonation control, you can select one or more LDAP groups that are synchronized with the portal (ClientNet), the sync tool can be found in Tools > Downloads. EIC ensures that the display names in your LDAP groups are checked against the sender information in an inbound email. Alternatively, you can enter or paste individual usernames into the Protected User Names list.
In either case, we recommend that you add the groups or names of your organization's executives or publicly known employees. The Protected User Names list accepts either one, two, or three names that are separated by a space.
Note that EIC checks the sender information in inbound email for a number of combinations of the names you enter. For example, EIC checks several combinations of names inserted. With this in mind, you don't need to add PMark, when the name added previously was Peter Mark.
Expand the Default Settings section - focus on Approved Senders.
Since we're dealing with spoofing, and we'll come across legit sources which can spoof you, it means you may need to allow trusted third-party senders. An example of this setup is when a third-party, like a marketing company, has been hired to send your users email messages on behalf of your organization. To allow for this trusted sender, you will need to whitelist the marketing company's IP address(es), domain(s), or email address(es). Currently, the approved sender's list is shared between Domain and User control.
Note: The wildcard character isn't accepted in the Sender Domains or Sender Email Addresses section, the current iteration only supports 1-1 entries. Sub-domains must also be explicitly added. As for IPs, you can specify plain IPs or address ranges with CIDR notation. We recommend that you exercise caution when whitelisting any domains or email addresses.
Reporting on EIC
This functionality also brings its own reporting option. In ClientNet go to Reports > Report Requests.
Here start a new report. In the section Email Detailed Report (CSV), you'll see the option for Email Impersonation Control. You can select it, the remainder of the report settings are as you normally set them up, pick a time frame, whether or not you want it scheduled and submit.
The report will present you the emails that have triggered Domain or User EIC. In the report, you'll have information related to the email such as source information (IP, HELO, MSG-ID), envelope sender. This information will help you with the process of setting up exceptions, that is, sources which are allowed to either spoof emails using one of your domains or one of your protected users.
Suggested configuration for first use
The initial suggested configuration and use of EIC will be in a passive mode. This comes from the assumption that knowledge of the valid sources will be limited at this point in time as we're starting from scratch, and as such we will start with Log only action, this to avoid email disruption.
- Set Action to Log Only
- Enable Domain Impersonation Control
- Pick All Provisioned Domains
- User Impersonation Control
- Pick Protected User Names
- Add a selection of names you wish to protect
- Set up the report
- Monitor the report
- Amend the approved sources as needed
- Repeat 5 and 6 as needed until happy with the results, after which you're welcome to update the action to something else stronger
Carlos Rios
Comments