Help the client to dectect Fake mails. Make it visible if a mail came via SMTP (and other stuff)
Motivation / Background:
Yesterday a customer called. In this company, there was a 'boss writes secretary do you have time for me today?' type of mail. The reply address (only after reply was clicked) pointed clearly 'somewhere', but besides this, it was very well done - most likely to gather more information in preparation of the next wave of an attack.
Besides all the stuff we do on the servers (like filtering, virus scanning etc...) we should start point the user to potential issues - So I suggest to add more individual clientside driven side checks. The following is probably not complete, not everything is helpflul for everyone and some are only half baked, but, however, there should be something useful in this list for everyone.
Already before clicking reply, for incoming mail, make it visible ...
1. SMTP Addresses:
a) ... if a mail was coming from a SMTP Source
b) ... if the reply address would have more than one @ sign in it. Same for more than one pair of <> , more than one set of ""
b1) Work out a logic for Reply to all for the same
c) ... if the part of the sender displayed to the user is the same as it would be for someone in my contacts (including recent contacts) but still point to a different Recipient?
c1) Work out a logic for Reply to all for the previous point.
d) ... visualize addresses (from, copy to) that are not in my contacts/recent contacts
d1 on top of d: and allow to manually add the address to recent contacts (right click?)
=> Every single one out of this list by itself would have identified yesterdays sample as fake - i.m.h.o. we are clearly not giving the enduser currently all information we should..
2. Singed Mails
- I might get a new certificate. - Do I already have one from this user?
- I might have a recent contact and a certificate from Max.email@example.com - if I get another mail from this user: Did it again come with the same certificate?
- Make any active Element (Files, link, code) clearly identifiable (e.g. this could be a red rectangle around 'it' (the element with active code) with a green background or something).
- If someone sends me a link all the time (maybe as part of the Message disclaimer) Have a way to accept that link as part of a contact / recent contact as harmless (probably at the same time unimportant, too :-) ).
- It is currently way too complicated to look at the complete URL of a long incoming link (edit mode, mark and copy in property boy, ad notepad and paste ....). Most of the time, when doing so, I am only trying to find out: How many dots are in the URL. is it http or https. what is the true server the thing is sent to (if there is many dots, what is the last, and winning domain when opened).
4. Message disclaimer
- Instead of displaying me those all the time (and leave it to me to find out if it looks exactly the same as yesterdays) it might be very helpful to be able to mark and accept those (recent contacts?) - and replace it just with a line of text if still the same as in the last mail.