Upload
berrezeg-mahieddine
View
216
Download
0
Embed Size (px)
Citation preview
8/10/2019 SPAM.prevention.using.dns.v6
1/35
SPAM Prevention Using DNS Solutions
Implementing reverse domain name services(rDNS) and planning for SPF Classic
Presented by: Ed Horley
Date: May 2005
8/10/2019 SPAM.prevention.using.dns.v6
2/35
Overview
SPAM prevention is the primary reason that rDNS and SPF Classic willbecome de jure within approximately 1-2 years (IETF ratified)
Current methods for SPAM prevention are de facto solutionsfiltering,black/white lists, etc
Reverse DNS (rDNS) is a great quick check to determine if an MTA isbeing run and maintained correctly but it can be spoofed
Sender Policy Framework (SPF v1) or SPF Classic is being used byservice providers to confirm that the mail servers they are receivingmail from are authorized to do so on behalf of the sending domain,these records are published by the sending domain
8/10/2019 SPAM.prevention.using.dns.v6
3/35
Overview Continued
Future additional solutions for SPAM prevention are YahoosDomainKeys, Sender Verification and perhaps MicrosoftsPuzzle Solution (unlikely)
Sender ID has been rejected by the IETF as a proposedstandard (de jure) due to inclusion of patented technology byMicrosoft and Microsoft has modified it and resubmitted. It mayor may not make it through this time depending on the
dependencies the working committee see on the patented orprotected intellectual property
8/10/2019 SPAM.prevention.using.dns.v6
4/35
8/10/2019 SPAM.prevention.using.dns.v6
5/35
Solutions Used Today
Blacklists
SpamCop
MAPS
ORDB SPAMhaus
Spews
SURBL
Mail-abuse
DSBL DNSBL
DNSRBL
Client filters
Audiotrieve InBoxer
Cloudmark SpamNet
Lyris MailShield McAfee SpamKiller
Aladdin SpamCatcher
Sunbelt IHateSpam
SpamBayes (open source)
Spam Bully MailFrontier Matador
Cloudmark Spamnet
8/10/2019 SPAM.prevention.using.dns.v6
6/35
Solutions Used Today
Serverfilters Exchange IMF (comes bundled
with Exchange)
XWall
Vircom modusGate Sophos PureMessage
Proofpoint Protection
SurfControl
Symantec
Trend Micro
GFI MailEssentials Sybari Antigen (Microsoft Aquired
Feb 2005)
Network Associates / Mcafee
SpamAssassin (open source)
Declude JunkMail
HardwareAppliances Barracuda 300 BorderWare MXtreme CypherTrust IronMail IronPort C60 Mail Foundry Sendio ICE Box Tumbleweed
SubscriptionServices
Brightmail Commtouch Greenview Data Katharion Postini PUREmail
8/10/2019 SPAM.prevention.using.dns.v6
7/35
8/10/2019 SPAM.prevention.using.dns.v6
8/35
What to do now?
SMTP mail gateway filters (hardware or software)
Consider a commercial service (depends on the amount andtype of traffic you except to see for your environment)
Software e-mail client filters (Small business accounts) Blacklists / Whitelists (Enterprise and Service Providers)
rDNS (anyone running an MTA that sends traffic to the Internet)
SPF Classic (anyone running an MTA that sends traffic to theInternet)
DomainKeys (Service Providers)
8/10/2019 SPAM.prevention.using.dns.v6
9/35
What is rDNS?
rDNS is an acronym for reverse DNS
It is a method of name resolution in which an IP address isresolved into a domain name
It is the opposite of the typical resolution method of DNS whichresolves domain names into IP addresses
It utilizes the existing DNS infrastructure by using a specialreserved domain name: in-addr.arpa.
IP addresses are more specific left to right and domain names
are more specific right to left, therefore the rDNS IP listings arereversed
Example: 63.251.192.20 would have a reverse entry of20.192.251.63.in-addr.arpa.
8/10/2019 SPAM.prevention.using.dns.v6
10/35
Why you should do rDNS now
Easy to implement
Because spammers often use invalid IP addresses (bogons) tosend e-mails, rDNS will determine the authenticity of a domain
name compared to the IP address from which it is originating It is used as one of several de facto methods to determine the
likelihood of a server being a SPAM relay
Most Internet Service Providers are using this to determinelegitimate mail sources
Reduces probability of legitimate mail servers being added to aBlacklist
8/10/2019 SPAM.prevention.using.dns.v6
11/35
What is SPF Classic?
SPF Classic is used to identify mail servers that are explicitly permittedto sendmail for a particular domain (think outgoing)
Domain owners identify permitted sending mail servers in DNS usingTXT records
SMTP receivers verify the envelope sender address against the DNSinformation and can distinguish legitimate mail servers before anymessage data is transmitted
It is backward compatible with MTAs that are not patched with SPFfilters or libraries (well, actually the old MTA just ignore it if that is
considered backward compatible!) RememberMX records publish which IPs are to receive mail
(incoming) destined for your domain, SPF records says which IPs areallowed to send mail (outgoing) on behalf of your domain
8/10/2019 SPAM.prevention.using.dns.v6
12/35
Why you should do SPF now
Easy to implement (publish TXT records in DNS)
It is used by AOL, Symantec, EarthLink, Google and more asone of several de facto methods to determine trustworthiness ofthe mail sources
Most Internet Service Providers are currently or starting to usethis to determine legitimate mail sources
Will move your mail to priority queues for processing for manyproviders including AOL, you can also submit to be added to theWhitelist for AOL
Reduces probability of being added to a Blacklist Oct 1st,2004 Microsoft, MSN and Hotmail will all start using
Sender ID to prioritize incoming e-mail! (Sender ID is backwardcompatible with SPF Classic)
8/10/2019 SPAM.prevention.using.dns.v6
13/35
What to know about SPF Classic
Meng Wong created SPF Classic. It used to be called Sender Permitted Fromand was changed to Sender Policy Framework
SPF v1 (Classic) designates specific SMTP servers as being authorized to sendfor a FQDN
Uses the TXT fields in DNS to publish relevant information
Each sub-domain must be configured specifically SPF will become de jure within approximately 1-2 yearsmost popular filters
are flagging this already Most MTAs support SPF Classic or have plug-ins available Backward compatible with existing technology It breaks e-mail forwarding You'll have to switch from forwarding, where the
envelope sender is preserved, to remailing, where the envelope sender is
changed
your MTA will have to support this
8/10/2019 SPAM.prevention.using.dns.v6
14/35
What to know about Sender ID
SPF Classic + PRA = Sender ID (basically now the MTA (thinkExchange) checks SPF ANDthe MUA (think Outlook) check the PRAor Purported Responsible Address)
Meng Wong and Microsoft submitted a draft rfc merging both solutionsand called it Sender ID was just turned down as a standard by the
IETF due to Microsoft patent issuesit is back on the table again! Uses the TXT fields in DNS to publish relevant informationsame as
SPF but uses a new version number Each sub-domain must be configured specificallyjust like SPF Microsoft will be updating the MTA/MUAs to support PRA (or Sender
ID)think Outlook, Outlook Express and Exchange
Backward compatible with existing technology It breaks e-mail forwarding! You'll have to switch from forwarding,
where the envelope sender is preserved, to remailing, where theenvelope sender is changedjust like SPF
SPF v2
8/10/2019 SPAM.prevention.using.dns.v6
15/35
What to know about PRA *
A purported responsible ddress is determined as the first from thefollowing list of items:
the first Resent-Sender header in the message, unless (per therules of RFC2822) it is preceded by a Resent-From header and one
or more Received or Return-Path headers occur after said Resent-From header and before the Resent-Sender header (see 3.6.6. ofRFC2822 for further information on Resent headers),
the first mailbox in the first Resent-From header in the message,
the Sender header in the message, and
the first mailbox in the From header in the message The purported responsible dom in of a message is defined to be the
domain part of the messages purported responsible address.
8/10/2019 SPAM.prevention.using.dns.v6
16/35
What is coming in a few years
DomainKeys
A Yahoo! submitted draft rfc
http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-00.txt
Basically public/private keys for authenticating client mail and theservers along the path
Acts as a chain of custody from the source client machine to thedestination client machine
Will require a major re-write of all MTAs to work 5 to 10 years if at
all?
Backward compatible with existing technology
Google and Yahoo have already deployed!
Has promise to be a great standard if adoption is quick enough
8/10/2019 SPAM.prevention.using.dns.v6
17/35
What is coming continued *
Puzzle Solution
Microsoft proposal
Assumed for small businesses that cannot afford certificateservices
Sending mail server has to perform time consuming calculation foreach mail sent
Assumes spammers cannot afford the computational costs to sendout large bulk mailings or the cost of the bulk certificate services
Will require a major re-write of all MTAs to work 5 to 10 years if at
all?
Backward compatible with existing technology
Solution has serious shortcomings
Microsoft has little published on this solution
8/10/2019 SPAM.prevention.using.dns.v6
18/35
Future potential SPAM problems
Disposable domain names, certificates and registrars
Country Sanctioned Activity (Governments allowing for profit activity orturning a blind eye to problem spammers) in order to generate $s
Large Zombie Farms controlling clients with legit relay access (Thinklarge University or poorly managed corporate environments)
Spyware agents that provide relay capabilities similar to Zombieconfigurations
IPv6 and Mobile IP devices becoming more prevalent
Potential exploits that could turn large peer-to-peer networks into relays
8/10/2019 SPAM.prevention.using.dns.v6
19/35
How rDNS works
ISP A ISP BInternet
Internal SMTP servers
take client e-mail2
1
Worker sends e-mail
to colleague
3
Internal SMTP servers
forwarding e-mail to
public ISP SMTP servers
5
Public SMTP servers receive
e-mail and check rDNS
Public ISP SMTP servers
send e-mail to destination
4
Public DNS servers supply
reverse entries
6
7
Colleague receives e-mail from
Public SMTP servers
MX: mx1.ispA.net ->1.1.1.1 MX: mx1.ispB.net -> 2.2.2.2
PTR: 1.1.1.1 -> mx1.ispA.net
PTR: 2.2.2.2 -> mx1.ispB.net
8/10/2019 SPAM.prevention.using.dns.v6
20/35
How to request rDNS for sub /24
address blocks
You will have to contact your ISP to request rDNS delegationdo thisvia e-mail so you have a written trail of correspondence
You will likely have to talk to several departments to figure out who canactually do this for you, first contact your account manager
Typically, the DNS group handles the sub-delegation but not alwayssometimes it is the networking group
You will need to be patient but firminform them that you need it forAnti-SPAM reasons for your mail server, to be RFC 2505 compliant
RFC 2317 describes standard methods for rDNS sub /24 delegationformats, there is also the DeGroot hack from the book "DNS & Bind"both work fine
8/10/2019 SPAM.prevention.using.dns.v6
21/35
Setting up RFC 2317 rDNS Delegation
Example of 64.94.106.40/29 configuration in the providers servers:
$ORIGIN 106.94.64.in-addr.arpa.
; zone delegation of 64.94.106.40/29
;
40-47. IN NS ns1.j2global.com.
40-47. IN NS ns2.j2global.com.
;
40. IN CNAME 40.40-47.106.94.64.in-addr.arpa.
41. IN CNAME 41.40-47.106.94.64.in-addr.arpa.
42. IN CNAME 42.40-47.106.94.64.in-addr.arpa.
43. IN CNAME 43.40-47.106.94.64.in-addr.arpa.
44. IN CNAME 44.40-47.106.94.64.in-addr.arpa.
45. IN CNAME 45.40-47.106.94.64.in-addr.arpa.
46. IN CNAME 46.40-47.106.94.64.in-addr.arpa.
47. IN CNAME 47.40-47.106.94.64.in-addr.arpa.
8/10/2019 SPAM.prevention.using.dns.v6
22/35
Setting up the rDNS Zone
Example of 64.94.106.40/29 configuration in your servers:
$ORIGIN 40-47.106.94.64.in-addr.arpa.; zone delegation of 64.94.106.40/29;
@ IN NS ns1.j2global.com.@ IN NS ns2.j2global.com.;@ IN TXT "j2 Global Communications, Inc.";40 IN PTR 64.94.106.40.efax.com.41 IN PTR 64.94.106.41.efax.com.42 IN PTR 64.94.106.42.efax.com.
43 IN PTR 64.94.106.43.efax.com.44 IN PTR 64.94.106.44.efax.com.45 IN PTR 64.94.106.45.efax.com.46 IN PTR 64.94.106.46.efax.com.47 IN PTR 64.94.106.47.efax.com.
8/10/2019 SPAM.prevention.using.dns.v6
23/35
Checking the rDNS Zone
Example of checking the 64.94.106.40/29 configuration:
; DiG 2.1 @206.13.31.12 40.106.94.64.in-addr.arpa. PTR; (1 server found);; res options: init recurs defnam dnsrch
;; got answer:;; ->>HEADER
8/10/2019 SPAM.prevention.using.dns.v6
24/35
How SPF Classic works
ISP A ISP BInternet
Internal SMTP servers
take client e-mail2
1
Worker sends e-mail
to colleague
5
Public SMTP servers receive
e-mail - checks SPF info
Public ISP SMTP servers
send e-mail to destination
4
Public DNS servers supply TXT,
MX and A records
6
7
Colleague receives e-mail from
Public SMTP servers
MX: mx1.ispA.net ->1.1.1.1
TXT: "v=spf1 a mx -all"
MX: mx1.ispB.net -> 2.2.2.2
TXT: "v=spf1 a mx -all"
TXT: v=spf1 a mx all
MX: mx1.ispA.net
A: mx1.ispA.net -> 1.1.1.1
3
Internal SMTP servers
forwarding e-mail to
public ISP SMTP servers
8/10/2019 SPAM.prevention.using.dns.v6
25/35
SPF Classic Syntax *
Some common SPF options in the TXT fielda = the A record entry for example.com sends e-mail on behalf of example.com
mx = the published MX record entries for example.com do not only receive e-mail on behalf ofexample.com but send e-mail also
ptr = approve any host that ends in example.com as part of its FQDNa: = a list of A record entries that are permitted to send e-mail on behalf of example.com
mx: = a list of mx record entries that are permitted to send e-mail on behalf of example.com
ip4: = a list of ip addresses that are permitted to send e-mail on behalf of example.com (CIDR)
include: = a different domain that may send e-mail on behalf of example.com (relay through yourservice provider)
-all: = (fail) everything in the SPF record are the ONLY hosts/networks permitted to send
(strictest policydont do unless you know all the ramifications)
~all: = (soft fail) everything in the SPF record are the ONLY hosts/networks permitted to send(middle ground)
?all: = not sure (technically neutral) if everything in the SPF record are the ONLY hosts/networkspermitted to send (start publishing with this one first as it is the most liberal policy)
Please see http://spf.pobox.com/mechanisms.html for a more detailed description and seehttp://spf.pobox.com/whitepaper.pdf for an excellent whitepaper
8/10/2019 SPAM.prevention.using.dns.v6
26/35
Setting up SPF Classic
Configuration of example.com SPF
$ORIGIN example.com.
; Leaving out the SOA info for space reasons
; NS records@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
; MX records
@ IN MX 10 mx1.example.com.
@ IN MX 20 mx2.example.com.
; A recordsmx1 IN A 1.1.1.1
mx2 IN A 2.2.2.2
; TXTSPF records
@ IN TXT "v=spf1 a mx -all"
mx1 IN TXT "v=spf1 a -all"
mx2 IN TXT "v=spf1 a -all"
8/10/2019 SPAM.prevention.using.dns.v6
27/35
Register your SPF domain
Once you have configured SPF for your domain you shouldconfirm your configuration at:
www.dnsstuff.com
Then put the logo on your site!
8/10/2019 SPAM.prevention.using.dns.v6
28/35
Testing SPF Classic
Testing of example.com SPF
http://www.dnsstuff.com/pages/spf.htm
Dummy Sample Output from dnsstuff:
SPF lookup of sender [email protected]. from IP 1.1.1.1:
SPF string used: v=spf1 mx -all. Obtained the TXT record via DNS for example.com
Processing SPF string: v=spf1 mx -all. Checking against the TXT record
Testing 'mx' on IP=1.1.1.1, target domain example.com, CIDR 32, default=PASS. MATCHTesting 'all' on IP=1.1.1.1, target domain example.com, CIDR 32, default=FAIL.
Result: PASS
8/10/2019 SPAM.prevention.using.dns.v6
29/35
Impact on the Internet
These solutions will help reduce overall architecture problems ofAuthentication, Authorization, and Accounting with e-mail (backto AAA)
68B e-mails daily of which approx. 42.8B are spam or 69%spam!
1
Estimated $1,400 annual savings per employee from lost
productivity currently due to spam2
1The Radicati Group and Brightmail
2 - Vircom
8/10/2019 SPAM.prevention.using.dns.v6
30/35
Resource Links
rDNS:
http://www.ietf.org/rfc/rfc2317.txt http://www.ietf.org/rfc/rfc2505.txt
http://www.arin.net/registration/lame_delegations/index.html
http://kbase.menandmice.com/view.html?rec=31
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_dewg.asp
http://dedicated.pacbell.net/custcare/dns_worksheet.html
DNS tools:
http://www.dnsstuff.com/
http://us.mirror.menandmice.com/cgi-bin/DoDig
http://network-tools.com/
http://www.squish.net/dnscheck/
http://www.dns.net/dnsrd/tools.html http://www.dnsreport.com/
http://www.samspade.org/t/
General references:
http://www.spamanatomy.com/
http://www.declude.com/Articles.asp?ID=97
8/10/2019 SPAM.prevention.using.dns.v6
31/35
Resource Links
SPF:
http://spf.pobox.com/howworks.html http://spf.pobox.com/rfcs.html
http://spf.pobox.com/wizard.html
http://www.ietf.org/internet-drafts/draft-mengwong-spf-01.txt
http://www.dnsstuff.com/pages/spf.htm
Microsofts PRA (E-mail Caller ID):
http://www.microsoft.com/downloads/details.aspx?FamilyID=9a9e8a28-3e85-4d07-9d0f-6daeabd3b71b&displaylang=en
Sender IDthe merged PRA and SPF:
http://www.microsoft.com/presspass/press/2004/may04/05-25SPFCallerIDPR.asp
http://www.microsoft.com/presspass/press/2004/jun04/06-24SIDSpecIETFPR.asp
http://www.microsoft.com/mscorp/twc/privacy/spam_senderid.mspx
Yahoo! DomainKeys:
http://antispam.yahoo.com/domainkeys
http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-00.txt
http://boycott-email-caller-id.org/
8/10/2019 SPAM.prevention.using.dns.v6
32/35
look at some Service Providers records
aol.com. 300 IN TXT "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24
ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24ptr:mx.aol.com ?allaol.com. 300 IN TXT "spf2.0/pra ip4:152.163.225.0/24 ip4:205.188.139.0/24ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24ptr:mx.aol.com ?all
cisco.com. 86400 IN TXT "v=spf1 ptr"
earthlink.net. 1800 IN TXT "v=spf1 ip4:207.217.120.0/23 ip4:207.69.200.0/24 ip4:209.86.89.0/24?all
efax.com. 86400 IN TXT "v=spf1 ptr ?all"
google.com. 300 IN TXT "v=spf1 ptr ?all
hotmail.com. 3600 IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.cominclude:spf-c.hotmail.com include:spf-d.hotmail.com ~all
microsoft.com. 3600 IN TXT "v=spf1 mx redirect=_spf.microsoft.com"
msn.com. 900 IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.cominclude:spf-c.hotmail.com include:spf-d.hotmail.com ~all
netzero.net. 600 IN TXT "v=spf1 ptr:untd.com ptr:netzero.net ptr:juno.com ?all
symantec.com. 18000 IN TXT "v=spf1 ip4:198.6.49.0/24 ip4:65.125.29.0/25 ip4:206.204.57.47?all
8/10/2019 SPAM.prevention.using.dns.v6
33/35
Questions and Answers
8/10/2019 SPAM.prevention.using.dns.v6
34/35
About Ed Horley
Ed Horley is a Sr. Network Engineer for j2 Global Communications, betterknown as eFax. Ed currently designs, supports and maintains j2's 58+international and domestic collocation sites along with j2's core data center IPinfrastructure. He is experienced in e-commerce web content delivery, largescale e-mail delivery, firewalls, IPSec VPN's, and specializes in routing andswitching and DNS issues.
Ed is a Cisco Certified Network Professional (CCNP), a Microsoft CertifiedProfessional (MCP) and a Microsoft Most Valuable Professional (MVP). Edgraduated from the University of the Pacific in 1992 with a BS in CivilEngineering.
When he is not playing on network gear you can find him out on the lacrossefield as an Umpire for Women's Lacrosse. He is currently married to hiswonderful wife Krys and has two children, Briana and Aisha. He lives and worksin Walnut Creek, CA.
8/10/2019 SPAM.prevention.using.dns.v6
35/35
Contact Info
Ed Horley [email protected]