Those of us with a strong interest in restoring trust to the email ecosystem received some great news last month, as the US Department of Homeland Security issued a directive (BOD 18-01) mandating that federal agencies authenticate their email to eliminate spoofers’ ability to impersonate federal agencies. When the directive came out, we were naturally curious about the scale of ongoing spoofing for .gov domains, so our researchers analyzed the metadata of roughly 70 million messages seen in the Proofpoint ecosystem in October across 4,989 unique .gov parent domains (including over 55,488 fully qualified domain names, which includes subdomains), across federal, state, and local agencies.
It was no surprise that .gov email spoofing is rampant. We saw over 8.5 million fraudulent messages, almost 10% of which were not even sent from a US-based IP address. In August of this year, one particular agency saw 80% of malicious emails spoofing their identity sent from Russian IPs, a country which accounted for 27% of all such malicious email since January 2016. Meanwhile, IPs in Germany were the source of 26% of fraudulent emails for this agency in the same time frame. That said, this is a much broader problem. Indeed, in October we saw .gov emails sent from 187 different foreign countries.
There are few, if any, justifiable reasons for foreign IP addresses being allowed to send an email representing itself as from a federal agency or user with a .gov email address. This made up 12.4% of all the emails sent from .gov domains, so effectively 1 out of every 8 .gov emails in October was fraudulent.