If you receive an e-mail from a free.fr address, be CAREFUL! Two weeks after the theft of Free's data, the operator still hasn't secured its data. domains with a DMARC policy worthy of the name! It's time to think about securing your data flow.
DMARC to secure your email flows: the basics
DMARC is not a panacea. It's not a miracle solution to identity theft or to securing email flows. But it does make the job a lot harder for hackers. And at this game, a week after "losing" the data of 19 million customers, Free can't be said to have acted.
So it's understandable. Deploying DMARC in a large structure takes time (lots of email flows in all directions). Setting up a reject policy doesn't happen by chance. But there are intermediate steps that could have been taken in a hurry (in fact, they should have been taken a few years ago).
It's worth remembering that the overwhelming majority of attempted scams using stolen data use 3 channels: phone calls, SMS and email. Often all 3 channels are used simultaneously. It is therefore essential to secure email to reduce the risks.
How secure are Free's email flows? Here's the lowdown.
Let's take a look at the domains used by Free and that I've seen in my inbox over the last few weeks:
- freetelecom.fr Used for communication on Freebox subscriptions (and to send notification of data theft).
- free-mobile.fr Used for communication on Free Mobile subscriptions (and to send notification of data theft).
- news.oqee.net Used to communicate TV offers
- free.fr Not used for emailing (from what I've seen), but the destination domain for most of the links in Free's emails.
Important note: don't limit domain security to domains that send legitimate e-mail. Hackers don't care! You need to secure all root domains and sub-domains.
Need help?
Reading content isn't everything. The best way is to talk to us.
Let's analyze the DMARC records of the domains presented above:
- freetelecom.fr No DMARC registration
- free-mobile.fr :
v=DMARC1; p=none; sp=none; adkim=s; aspf=s; rua=mailto:postmaster@free-mobile.fr; ruf=mailto:postmaster@free-mobile.fr; rf=afrf; pct=100; ri=86400 - news.oqee.net :
v=DMARC1; p=none; rua=mailto:spam-report@oqee.tv; ruf=mailto:spam-report@oqee.tv; fo=1 - oqee.net No DMARC registration
- free.fr :
v=DMARC1;p=none;adkim=r;aspf=r;sp=none
Conclusions on DMARC registrations :
- No restrictive policy (p=) applied
- 2 out of 5 domains without DMARC registrations
- 3 out of 5 domains without DMARC monitoring
- The two domains with DMARC feedback addresses probably don't monitor anything, given the heads of the email addresses used.
I also took the opportunity to take a look at the SPF recordings, and the conclusion is no more glorious. No SPF registration has a strict qualifier (except free-mobile.fr), some domains have huge lists of IP addresses authorized to send emails (freetelecom.fr or free-mobile.fr for example). Rationalization is urgently needed.
What are the priorities for securing Free's emails?
What are the priority actions to be implemented by Free :
- Rationalizing the use of domains that can legitimately send email. Block all others with ultra-restrictive DMARC and SPF policies.
- Connecting a monitoring solution DMARC to all existing root domains and subdomains (whether known to send legitimate Free emails or not)
- Implement DMARC policies restrictive on domains with only one clearly identified email source
- In the medium term, regulate all sources of email emissions to deploy a DMARC "reject" policy.
And for those of you reading this who don't feel you've done it, don't wait until the first incident to get started! Get in touch with a deliverability consultant.
