Security Blog

Advice to Email Administrators for Preventing Extortion Email

Release Date: 21 / 12 / 2018
Last Update: 21 / 12 / 2018

Recently, HKCERT received a number of reports from students and alumni of a local university who received extortion emails asking for ransom. The content of the extortion email is similar to the one we seen before. The email sender pretends to be the recipient's email address, making the recipient to believe his/her mailbox was compromised and the scam email was sent from their own mailbox.


For the school, college and/or university student, their email address is usually comprise by the Student ID. The fixed combination is easy to be guessed and targeted. We observed this kind of combination of the email addresses would be involved into the scam campaign as the targeted victim.


After investigating into this incident, it was discovered that the extortion email was not detected and blocked as spam due to the configuration of the email gateway. As a result, the extortion email was allowed to deliver to recipient’s inbox and caused panic.


From the lesson learnt, we have five suggestions for email administrators to prevent similar extortion emails.

  1. Internal emails should always come from your own email servers. If the sender of the incoming email pretends as your own email domain, it probably is a spoofing email and should be blocked.
  2. Set the SPF record for your email domain. Check the incoming email SPF and quarantine the suspicious email. It allows your email users to receive emails from authenticated servers only.
  3. Tune the sensitivity level of spam and/or phishing filter of your email gateway. Other than the default filter policy, maintain and implement additional protection mechanism, such as keyword blacklist, block emails from a bad reputation server IP, etc.
  4. Add warning tag/banner to suspected spam or phishing emails to aware your users. For example, add a warning tag at the top of the email subject or text.
  5. Take prompt action to alert your email users once suspicious email found, early warning could prevent other users react on the supicious email.