Join the fightAgainst email spam!

1

Why would we this?4 People waste their time sorting SPAM

4 Lost money by phishing emails

4 banks, creditcards, invoices

4 No trust in their real message

4 Google force you to do!

2

Safer Internet DayFebruary 9, 2016

3

4

5

6

Who is sending emailsfrom there applications?

7

Who is runninghis own emailserver?

8

Who is in chargeof the DNS-records?

9

Who recognize

this situation?

10

My email to bob@example.com

has not arrived.1

Our client(s)

11

My email has not arrived..Lots of reasons

4 The code doesn't send the email

4 The server IP-adres is on the (RBL) blacklist

4 The receiver server doesn't trust your IP-adres

4 The content is marked as SPAM

4 The email policy is not configured or not optimal

12

My email has not arrived..What can we do about it?

4 Check the function of the script

4 Check the server IP-adres on the (RBL) blacklist

4 Submit for removal

4 Checking the email policies [SPF/DKIM]

4 Using email services providers

13

How we did it the old days2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= maillinglist@domain.com H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 id=384a86a39e83be0d9b3a94d1feb3119f@domain.com T="Daily Science Maillinglist: Chameleon" from for user@example.com2016-04-01 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s2016-04-01 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s

14

Email service providers

15

16

17

18

19

20

21

22

Email authentication

23

Email authentication1. SPF

2. DKIM

3. DMARC

24

SPF

25

SPFSender Policy Framework

26

SPF4 Created in 2003

4 Which mail servers are used to send mail from your domain

4 Publish an SPF record in our DNS records

4 Technical method to prevent sender address forgery

27

SPFThis technology requires two sides to play together

1. The domain owner, publishing an SPF record

2. The receiving server, checking for domain SPF records

28

SPFIf the message comes from an unknown server, it can be considered as fake and could be rejected.

29

SPF record - JCIDLet's look at an example

jcid.nl. TXT "v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all"

30

SPF record - Emmen PHPThe parts of the SPF record mean the following:

emmenphp.nl. TXT "v=spf1 ip4:37.247.42.172 ~all"

4 v=spf1

4 a

4 37.247.42.172

4 ~all

31

SPF mechanisms

32

SPF mechanisms4 Domains define zero or more mechanisms.

33

SPF mechanismsall | ip4 | ip6 | a | mx | ptr | exists | include

34

SPF mechanismsMechanisms can be prefixed with one of four qualifiers:

"+" Pass"-" Fail"~" SoftFail"?" Neutral

35

SPF mechanismsThe default qualifier

"+", i.e. "Pass".

36

SPF - The "ip4" & "ip6" mechanismip4:<ip4-address>ip4:<ip4-network>/<prefix-length>

ip6:<ip6-address>ip6:<ip6-network>/<prefix-length>

37

SPF - The "ip4" & "ip6" mechanism"v=spf1 ip4:192.168.0.1/16 -all"

Allow any IP address between 192.168.0.1 and 192.168.255.255.

"v=spf1 ip6:1080::8:800:200C:417A/96 -all"

Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.

38

SPF - The "a" & "mx" mechanismaa/<prefix-length>a:<domain>a:<domain>/<prefix-length>

mxmx/<prefix-length>mx:<domain>mx:<domain>/<prefix-length>

39

SPF - The "include" mechanisminclude:<domain>

Example

include:spf.mandrillapp.com

40

SPF - The "include" mechanismExact Online Example

ip4:xxx.xxx.xxx.xxx ip4:yyy.yyy.yyy.yyy ip4:zzz.zzz.zzz.zzz

41

SPF mechanismsThe default qualifier

"+", i.e. "Pass".

42

SPF record - The "all" mechanismemmenphp.nl. TXT "v=spf1 ip4:37.247.42.172 ~all"

43

SPF -all

44

SPF -allStopping email forgery

45

SPF stats - All domains

SPF -all, 1 November 2016 SPF -all - Stats.

46

SPF stats - Domains with SPF record

SPF -all, 1 November 2016 SPF -all - Stats.

47

SPF - The "all" mechanism"v=spf1 mx -all"

48

SPF - The "all" mechanism"v=spf1 -all"

49

SPF - The "all" mechanism"v=spf1 +all"

50

SPF results

51

SPF resultsAn SPF record can return any of these results:

1. Pass------------2. Fail3. SoftFail------------4. Neutral5. None------------6. PermError7. TempError

52

53

SPF result1 - Pass (accept)

Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com;

54

SPF result - ReceiverReceived-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com;

receiver=bob.example.org

the host name of the SPF client

55

SPF resultReceived-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com;

client_ip=192.0.2.1;

the IP address of the SMTP client

56

SPF resultReceived-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com;

envelope-from=alice@example.com;

the envelope sender mailbox

57

SPF resultReceived-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com;

helo

the host name given in the HELO or EHLO command

58

SPF result2 - Fail (reject)

Received-SPF: fail (bob.example.org: domain of alice@example.com does not designate 192.0.2.1 as permitted sender)

3 - SoftFail (accept but marked)

Received-SPF: softfail (bob.example.org: domain of transitioning alice@example.com does not designate 192.0.2.1 as permitted sender)

59

SPF result4 - Neutral (accept)

Received-SPF: neutral (bob.example.org: 192.0.2.1 is neither permitted nor denied by domain of alice@example.com)

5 - None (accept)

Received-SPF: none (bob.example.org: domain of alice@example.com does not designate permitted sender hosts)

60

SPF result6 - PermError (unspecified)

Received-SPF: permerror -extension:foo (bob.example.org: domain of alice@example.com uses mechanism not recognized by this client)

7 - TempError (accept or reject)

Received-SPF: temperror (bob.example.org: error in processing during lookup of alice@example.com: DNS timeout)

61

Recap

62

63

DKIM

64

DKIMDomainKey Identified Mail

65

DKIMDigital signature

66

Why DKIM?DKIM is an important authentication mechanism

67

DKIM4 Email receivers

4 Phishing emails (banks, creditcard, invoices)

4 Email senders

4 No trust in their real message

68

DKIMTwo proposals took shape, 2005

1. Yahoo’s DomainKeys

2. Cisco’s Identified Internet Mail

69

DKIMBoth proposals were based in the use of

“ Public Key Cryptography ”

70

DKIMMid 2005, the IETF (Internet Engineering Task Force), submitted the draft “ DomainKeys Identified Mail — DKIM ” specification.

71

How does DKIM work?

72

How does DKIM work?1. Author wishes to send an email to a recipient

2. They (their mailing software) calculate a crypto signature

4 that covers the relevant parts of the message using the Private Key.

3. The signature is placed in the email header

4 and the message is then sent normally by the mail server.

4. At any point in travel the signature is validated using the public key.

5. If any part of the message covered by the signature was manipulated

4 the signature won’t validate and the recipient will be alerted.

73

How does DKIM work?4 Public Key Cryptography like SSH

4 Private key v.s. Public key

4 DKIM uses DNS to publish the Public Keys

74

75

DKIM headerDKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=jcid.nl; s=mandrill; t=1399817581; bh=Pl25…dcMqN+E=; h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type; b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=

76

DKIM header - Versionv=1

This indicates the DKIM version in use.

77

DKIM header - Algorithma=rsa-sha256

The algorithm suite that was used to generate the crypto signature.

Current two specification defines

4 rsa-sha1

4 rsa-sha25678

DKIM header - Canonicalizationc=simple/relaxed

Note that the c= fragment defines two algorithms.

79

DKIM header - Domaind=jcid.nl

80

DKIM header - Selectors=mandrill

81

DKIM header - Selectortxt:mandrill._domainkey.jcid.nl

v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ /J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt 7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfN dynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB

82

DKIM header - Timestampt=1399817581

83

DKIM header - Body partbh=Pl25…dcMqN+E=

84

DKIM header - Header listh=Message-ID:Date:Subject:From:...

85

DKIM header - Datab=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=

4 The crypto signature data itself, encoded in Base64 and possibly with whitespace inserted to conform to line length limitations.

86

DKIM resultsThe possible results for your DKIM test are:

1. Pass2. Fail3. None4. Policy5. Neutral6. TempError7. PermError

87

DKIM results - PassThe message was signed, the signature or signatures were acceptable, and the signature(s) passed verification tests.

88

DKIM results - FailThe message was signed and the signature or signatures were acceptable, but they failed the verification test(s).

89

DKIM results - NoneThe message was not signed

90

DKIM results - PolicyThe message was signed but the signature or signatures were not acceptable.

91

DKIM results - NeutralThe message was signed but the signature or signatures contained syntax errors or were not otherwise able to be processed.

92

DKIM results - TemperrorThe message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result.

93

DKIM results - PermerrorThe message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result.

94

MoneyBird - SPAM

95

MoneyBird - Inbox

96

Cal Evans

97

Recap

98

99

DMARC

100

DMARCDomain-based Message Authentication,

Reporting & Conformance

101

DMARC4 Created in 2007 by PayPal, and Yahoo!

4 Later Gmail joined

102

What is DMARC

103

What is DMARCRemove the guesswork

104

What is DMARCReport back to the sender

105

106

DMARC record - JCIDLet's look at an example

_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com; sp=none; aspf=r;"

107

DMARC record - Versionv=DMARC1

This indicates the DMARC version in use.

108

DMARC record - Percentagepct=100

Percentage of messages subjected to filtering

109

DMARC record - Aggregate reportrua=mailto:aggregate-report@example.com

Reporting URI of aggregate reports

110

DMARC record - Failure Reportsruf=mailto:failure-reports@example.com

Reporting URI for forensic reports

111

DMARC record - Policyp=none

Policy for domain

4 none

4 quarantine

4 reject

112

DMARC record - Sub-domain Policysp=none

Sub-domain Policy

113

DMARC record - Alignmentadkim=s

Alignment mode for DKIM- r = relaxed (default)- s = strict mode

114

DMARC record - Alignmentaspf=r

Alignment mode for SPF- r = relaxed (default)- s = strict mode

115

Recap

116

117

DMARCAggregate report

118

DMARCZIP file

google.com!jcid.nl!1455062400!1455148799.zip

with XML aggregate report

google.com!jcid.nl!1455062400!1455148799.xml

119

DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>example.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>example.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record></feedback>

120

DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata></feedback>

121

DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published></feedback>

122

DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>example.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>example.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record></feedback>

123

DMARC reportI'm in control

124

DMARC - Tools1. Postmark App

2. Dmarcian

125

Postmark DMARC monitor

126

127

Dmarcian

128

129

Overview DNS records JCIDSPF @ TXT v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all

DKIM google._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+w63i8quIsOR09AfNup5pyt/jsSmKo/iQnOkT8EI1LOn6daR1GqR+5... mandrill._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8N...

DMARC _dmarc TXT v=DMARC1; p=none; pct=100; rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com; sp=none; aspf=r;

130

How to start your own?4 Deploy SPF & DKIM

4 Publish a DMARC record with the “none” flag set for the policies (monitor mode)

4 Analyze the data and modify your DMARC policy

4 from “none” to “quarantine” to “reject”

131

Any questionsAbout the theory?

132

MXToolbox

133

134

135

136

137

Delivered-To: jeffrey@jcid.nlReceived: by 10.194.157.102 with SMTP id wl6csp186952wjb; Fri, 26 Aug 2016 02:33:43 -0700 (PDT)X-Received: by 10.55.120.195 with SMTP id t186mr2016594qkc.118.1472204023376; Fri, 26 Aug 2016 02:33:43 -0700 (PDT)Return-Path: <martynminnis@gmail.com>Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com. [2607:f8b0:400d:c0d::22a]) by mx.google.com with ESMTPS id u126si7830854qkf.92.2016.08.26.02.33.43 for <jeffrey@jcid.nl> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Aug 2016 02:33:43 -0700 (PDT)Received-SPF: pass (google.com: domain of martynminnis@gmail.com designates 2607:f8b0:400d:c0d::22a as permitted sender) client-ip=2607:f8b0:400d:c0d::22a;Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com; spf=pass (google.com: domain of martynminnis@gmail.com designates 2607:f8b0:400d:c0d::22a as permitted sender) smtp.mailfrom=martynminnis@gmail.com; dmarc=pass (p=NONE dis=NONE) header.from=gmail.comReceived: by mail-qt0-x22a.google.com with SMTP id u25so35076163qtb.1 for <jeffrey@jcid.nl>; Fri, 26 Aug 2016 02:33:43 -0700 (PDT)DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=Kq6G9vieA14XMBGjPWOQiNs68KLd8OmUbmtlbrM4Oqk=; b=w8wBPP18htjzrPTh82kQttpVKLoEbgCTkMuBkhAzwHmOJIrDv4FwXonYO7ERv0fOg9 t2A0Kia+9NISRHS5X8HTUdJz50PE7YMOE0le34QZ320cjbdb1AYcFE4VJ+499XJ9nVEg OodIcjlqtPTUwhnF+RJc8D7O8Rfr3ZhBBB9d7cdCtVxpljB+nNEErbWyRYREHEK0hczd Rf2b1FG2N1iKiXV0DuSF/rjnxHcQAhxRojiYuRkuKPYHADcQezwJVbLPbYjmYNrEaLlD OZeOiov5co25DZs9Lf6HfEQ0qWVgmzt9jDJaBTzzpweWjMpS7L5cDAgfiH4zuXCLt8CZ IZ3A==X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Kq6G9vieA14XMBGjPWOQiNs68KLd8OmUbmtlbrM4Oqk=; b=VnjcGHkQIBznyNC9OhUhs9OJj9qhS8WdQ9zK2dqQiVyZ6/rC28SWeV5XNr1iQT/FNp qyTaunNDplNrVrlnkl+NSxWiGNH10se5nVVbJ7ArSSAkoGRQwo+CfxoIbwU9CVVeNNpL l01B5DFSeom7pL9lUpr7n6trxKg11vUXbIAp/DYbhRTc0LBU4VI8T4w+PBKdnV2Hvzai oRUIrz9f/ykGV4bmpktOAFhKCZoYpL3tKJ65BpV/f9bp/aOFTx0azHUjZ31GtfS7z2Mc DmWdfoLtkcriTnpDPCHxzKrLkS/dyN9hCFSYfyBwe6SgnvUqzKmYRME2jDf5pcGdHtDd dJmw==X-Gm-Message-State: AE9vXwOuiQZPoxCvQafsQevD9jy8ypQcaPZipkQnyeANw4f5dVvaU4jmBXgj1S6YxNvjp9jmDRESpEEq+Qscwg==X-Received: by 10.200.43.105 with SMTP id 38mr2091543qtv.73.1472204022848; Fri, 26 Aug 2016 02:33:42 -0700 (PDT)MIME-Version: 1.0Received: by 10.237.43.163 with HTTP; Fri, 26 Aug 2016 02:33:42 -0700 (PDT)From: Martijn Minnis <martynminnis@gmail.com>Date: Fri, 26 Aug 2016 11:33:42 +0200Message-ID: <CABe801A=t8StMzGqpWcut8uWAbfnopVP63nDi5g+Nq7n0cTz3A@mail.gmail.com>Subject: EmmenPHP - looking for speakersTo: jeffrey@jcid.nlContent-Type: multipart/alternative; boundary=001a113d00a6d1a568053af6359c

138

139

140

Mail tester

141

142

143

The practiceDomains from the audience

144

Thank you!

145

Jeffrey CafferataTwitter handle: @jcid

146

SPF and email forwarding4 SRS: Sender Rewriting Scheme

147

Diff SPF / Sender ID

148

Diff DKIM / Identified Internet MailYahoo’s DomainKeys and Cisco’s Identified Internet Mail

149

Bronnen

150

Google, 9th February 2016 Google Security - Internet-wide efforts to fight email phishing are working. By Elie Bursztein, Gmail anti-abuse research lead and Vijay Eranti, Gmail anti-abuse technical lead

151