Upload
jeffrey-cafferata
View
128
Download
1
Embed Size (px)
Citation preview
Join the fightAgainst email spam!
1
Why would we this?4 People waste their time sorting SPAM
4 Lost money by phishing emails
4 banks, creditcards, invoices
4 No trust in their real message
4 Google force you to do!
2
Safer Internet DayFebruary 9, 2016
3
4
5
6
Who is sending emailsfrom there applications?
7
Who is runninghis own emailserver?
8
Who is in chargeof the DNS-records?
9
Who recognize
this situation?
10
My email has not arrived..Lots of reasons
4 The code doesn't send the email
4 The server IP-adres is on the (RBL) blacklist
4 The receiver server doesn't trust your IP-adres
4 The content is marked as SPAM
4 The email policy is not configured or not optimal
12
My email has not arrived..What can we do about it?
4 Check the function of the script
4 Check the server IP-adres on the (RBL) blacklist
4 Submit for removal
4 Checking the email policies [SPF/DKIM]
4 Using email services providers
13
How we did it the old days2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= [email protected] H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 [email protected] T="Daily Science Maillinglist: Chameleon" from for [email protected] 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s2016-04-01 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s
14
Email service providers
15
16
17
18
19
20
21
22
Email authentication
23
Email authentication1. SPF
2. DKIM
3. DMARC
24
SPF
25
SPFSender Policy Framework
26
SPF4 Created in 2003
4 Which mail servers are used to send mail from your domain
4 Publish an SPF record in our DNS records
4 Technical method to prevent sender address forgery
27
SPFThis technology requires two sides to play together
1. The domain owner, publishing an SPF record
2. The receiving server, checking for domain SPF records
28
SPFIf the message comes from an unknown server, it can be considered as fake and could be rejected.
29
SPF record - JCIDLet's look at an example
jcid.nl. TXT "v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all"
30
SPF record - Emmen PHPThe parts of the SPF record mean the following:
emmenphp.nl. TXT "v=spf1 ip4:37.247.42.172 ~all"
4 v=spf1
4 a
4 37.247.42.172
4 ~all
31
SPF mechanisms
32
SPF mechanisms4 Domains define zero or more mechanisms.
33
SPF mechanismsall | ip4 | ip6 | a | mx | ptr | exists | include
34
SPF mechanismsMechanisms can be prefixed with one of four qualifiers:
"+" Pass"-" Fail"~" SoftFail"?" Neutral
35
SPF mechanismsThe default qualifier
"+", i.e. "Pass".
36
SPF - The "ip4" & "ip6" mechanismip4:<ip4-address>ip4:<ip4-network>/<prefix-length>
ip6:<ip6-address>ip6:<ip6-network>/<prefix-length>
37
SPF - The "ip4" & "ip6" mechanism"v=spf1 ip4:192.168.0.1/16 -all"
Allow any IP address between 192.168.0.1 and 192.168.255.255.
"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.
38
SPF - The "a" & "mx" mechanismaa/<prefix-length>a:<domain>a:<domain>/<prefix-length>
mxmx/<prefix-length>mx:<domain>mx:<domain>/<prefix-length>
39
SPF - The "include" mechanisminclude:<domain>
Example
include:spf.mandrillapp.com
40
SPF - The "include" mechanismExact Online Example
ip4:xxx.xxx.xxx.xxx ip4:yyy.yyy.yyy.yyy ip4:zzz.zzz.zzz.zzz
41
SPF mechanismsThe default qualifier
"+", i.e. "Pass".
42
SPF record - The "all" mechanismemmenphp.nl. TXT "v=spf1 ip4:37.247.42.172 ~all"
43
SPF -all
44
SPF -allStopping email forgery
45
SPF stats - All domains
SPF -all, 1 November 2016 SPF -all - Stats.
46
SPF stats - Domains with SPF record
SPF -all, 1 November 2016 SPF -all - Stats.
47
SPF - The "all" mechanism"v=spf1 mx -all"
48
SPF - The "all" mechanism"v=spf1 -all"
49
SPF - The "all" mechanism"v=spf1 +all"
50
SPF results
51
SPF resultsAn SPF record can return any of these results:
1. Pass------------2. Fail3. SoftFail------------4. Neutral5. None------------6. PermError7. TempError
52
53
SPF result1 - Pass (accept)
Received-SPF: pass (bob.example.org: domain of [email protected] designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; [email protected]; helo=mailout00.controlledmail.com;
54
SPF result - ReceiverReceived-SPF: pass (bob.example.org: domain of [email protected] designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; [email protected]; helo=mailout00.controlledmail.com;
receiver=bob.example.org
the host name of the SPF client
55
SPF resultReceived-SPF: pass (bob.example.org: domain of [email protected] designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; [email protected]; helo=mailout00.controlledmail.com;
client_ip=192.0.2.1;
the IP address of the SMTP client
56
SPF resultReceived-SPF: pass (bob.example.org: domain of [email protected] designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; [email protected]; helo=mailout00.controlledmail.com;
the envelope sender mailbox
57
SPF resultReceived-SPF: pass (bob.example.org: domain of [email protected] designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; [email protected]; helo=mailout00.controlledmail.com;
helo
the host name given in the HELO or EHLO command
58
SPF result2 - Fail (reject)
Received-SPF: fail (bob.example.org: domain of [email protected] does not designate 192.0.2.1 as permitted sender)
3 - SoftFail (accept but marked)
Received-SPF: softfail (bob.example.org: domain of transitioning [email protected] does not designate 192.0.2.1 as permitted sender)
59
SPF result4 - Neutral (accept)
Received-SPF: neutral (bob.example.org: 192.0.2.1 is neither permitted nor denied by domain of [email protected])
5 - None (accept)
Received-SPF: none (bob.example.org: domain of [email protected] does not designate permitted sender hosts)
60
SPF result6 - PermError (unspecified)
Received-SPF: permerror -extension:foo (bob.example.org: domain of [email protected] uses mechanism not recognized by this client)
7 - TempError (accept or reject)
Received-SPF: temperror (bob.example.org: error in processing during lookup of [email protected]: DNS timeout)
61
Recap
62
63
DKIM
64
DKIMDomainKey Identified Mail
65
DKIMDigital signature
66
Why DKIM?DKIM is an important authentication mechanism
67
DKIM4 Email receivers
4 Phishing emails (banks, creditcard, invoices)
4 Email senders
4 No trust in their real message
68
DKIMTwo proposals took shape, 2005
1. Yahoo’s DomainKeys
2. Cisco’s Identified Internet Mail
69
DKIMBoth proposals were based in the use of
“ Public Key Cryptography ”
70
DKIMMid 2005, the IETF (Internet Engineering Task Force), submitted the draft “ DomainKeys Identified Mail — DKIM ” specification.
71
How does DKIM work?
72
How does DKIM work?1. Author wishes to send an email to a recipient
2. They (their mailing software) calculate a crypto signature
4 that covers the relevant parts of the message using the Private Key.
3. The signature is placed in the email header
4 and the message is then sent normally by the mail server.
4. At any point in travel the signature is validated using the public key.
5. If any part of the message covered by the signature was manipulated
4 the signature won’t validate and the recipient will be alerted.
73
How does DKIM work?4 Public Key Cryptography like SSH
4 Private key v.s. Public key
4 DKIM uses DNS to publish the Public Keys
74
75
DKIM headerDKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=jcid.nl; s=mandrill; t=1399817581; bh=Pl25…dcMqN+E=; h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type; b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=
76
DKIM header - Versionv=1
This indicates the DKIM version in use.
77
DKIM header - Algorithma=rsa-sha256
The algorithm suite that was used to generate the crypto signature.
Current two specification defines
4 rsa-sha1
4 rsa-sha25678
DKIM header - Canonicalizationc=simple/relaxed
Note that the c= fragment defines two algorithms.
79
DKIM header - Domaind=jcid.nl
80
DKIM header - Selectors=mandrill
81
DKIM header - Selectortxt:mandrill._domainkey.jcid.nl
v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ /J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt 7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfN dynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB
82
DKIM header - Timestampt=1399817581
83
DKIM header - Body partbh=Pl25…dcMqN+E=
84
DKIM header - Header listh=Message-ID:Date:Subject:From:...
85
DKIM header - Datab=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA=
4 The crypto signature data itself, encoded in Base64 and possibly with whitespace inserted to conform to line length limitations.
86
DKIM resultsThe possible results for your DKIM test are:
1. Pass2. Fail3. None4. Policy5. Neutral6. TempError7. PermError
87
DKIM results - PassThe message was signed, the signature or signatures were acceptable, and the signature(s) passed verification tests.
88
DKIM results - FailThe message was signed and the signature or signatures were acceptable, but they failed the verification test(s).
89
DKIM results - NoneThe message was not signed
90
DKIM results - PolicyThe message was signed but the signature or signatures were not acceptable.
91
DKIM results - NeutralThe message was signed but the signature or signatures contained syntax errors or were not otherwise able to be processed.
92
DKIM results - TemperrorThe message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result.
93
DKIM results - PermerrorThe message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result.
94
MoneyBird - SPAM
95
MoneyBird - Inbox
96
Cal Evans
97
Recap
98
99
DMARC
100
DMARCDomain-based Message Authentication,
Reporting & Conformance
101
DMARC4 Created in 2007 by PayPal, and Yahoo!
4 Later Gmail joined
102
What is DMARC
103
What is DMARCRemove the guesswork
104
What is DMARCReport back to the sender
105
106
DMARC record - JCIDLet's look at an example
_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;"
107
DMARC record - Versionv=DMARC1
This indicates the DMARC version in use.
108
DMARC record - Percentagepct=100
Percentage of messages subjected to filtering
109
DMARC record - Policyp=none
Policy for domain
4 none
4 quarantine
4 reject
112
DMARC record - Sub-domain Policysp=none
Sub-domain Policy
113
DMARC record - Alignmentadkim=s
Alignment mode for DKIM- r = relaxed (default)- s = strict mode
114
DMARC record - Alignmentaspf=r
Alignment mode for SPF- r = relaxed (default)- s = strict mode
115
Recap
116
117
DMARCAggregate report
118
DMARCZIP file
google.com!jcid.nl!1455062400!1455148799.zip
with XML aggregate report
google.com!jcid.nl!1455062400!1455148799.xml
119
DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <report_metadata> <org_name>google.com</org_name> <email>[email protected]</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>example.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>example.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record></feedback>
120
DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <report_metadata> <org_name>google.com</org_name> <email>[email protected]</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata></feedback>
121
DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published></feedback>
122
DMARC report<?xml version="1.0" encoding="UTF-8" ?><feedback> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>example.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>example.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record></feedback>
123
DMARC reportI'm in control
124
DMARC - Tools1. Postmark App
2. Dmarcian
125
Postmark DMARC monitor
126
127
Dmarcian
128
129
Overview DNS records JCIDSPF @ TXT v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all
DKIM google._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+w63i8quIsOR09AfNup5pyt/jsSmKo/iQnOkT8EI1LOn6daR1GqR+5... mandrill._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8N...
DMARC _dmarc TXT v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;
130
How to start your own?4 Deploy SPF & DKIM
4 Publish a DMARC record with the “none” flag set for the policies (monitor mode)
4 Analyze the data and modify your DMARC policy
4 from “none” to “quarantine” to “reject”
131
Any questionsAbout the theory?
132
MXToolbox
133
134
135
136
137
Delivered-To: [email protected]: by 10.194.157.102 with SMTP id wl6csp186952wjb; Fri, 26 Aug 2016 02:33:43 -0700 (PDT)X-Received: by 10.55.120.195 with SMTP id t186mr2016594qkc.118.1472204023376; Fri, 26 Aug 2016 02:33:43 -0700 (PDT)Return-Path: <[email protected]>Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com. [2607:f8b0:400d:c0d::22a]) by mx.google.com with ESMTPS id u126si7830854qkf.92.2016.08.26.02.33.43 for <[email protected]> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Aug 2016 02:33:43 -0700 (PDT)Received-SPF: pass (google.com: domain of [email protected] designates 2607:f8b0:400d:c0d::22a as permitted sender) client-ip=2607:f8b0:400d:c0d::22a;Authentication-Results: mx.google.com; dkim=pass [email protected]; spf=pass (google.com: domain of [email protected] designates 2607:f8b0:400d:c0d::22a as permitted sender) [email protected]; dmarc=pass (p=NONE dis=NONE) header.from=gmail.comReceived: by mail-qt0-x22a.google.com with SMTP id u25so35076163qtb.1 for <[email protected]>; Fri, 26 Aug 2016 02:33:43 -0700 (PDT)DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=Kq6G9vieA14XMBGjPWOQiNs68KLd8OmUbmtlbrM4Oqk=; b=w8wBPP18htjzrPTh82kQttpVKLoEbgCTkMuBkhAzwHmOJIrDv4FwXonYO7ERv0fOg9 t2A0Kia+9NISRHS5X8HTUdJz50PE7YMOE0le34QZ320cjbdb1AYcFE4VJ+499XJ9nVEg OodIcjlqtPTUwhnF+RJc8D7O8Rfr3ZhBBB9d7cdCtVxpljB+nNEErbWyRYREHEK0hczd Rf2b1FG2N1iKiXV0DuSF/rjnxHcQAhxRojiYuRkuKPYHADcQezwJVbLPbYjmYNrEaLlD OZeOiov5co25DZs9Lf6HfEQ0qWVgmzt9jDJaBTzzpweWjMpS7L5cDAgfiH4zuXCLt8CZ IZ3A==X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Kq6G9vieA14XMBGjPWOQiNs68KLd8OmUbmtlbrM4Oqk=; b=VnjcGHkQIBznyNC9OhUhs9OJj9qhS8WdQ9zK2dqQiVyZ6/rC28SWeV5XNr1iQT/FNp qyTaunNDplNrVrlnkl+NSxWiGNH10se5nVVbJ7ArSSAkoGRQwo+CfxoIbwU9CVVeNNpL l01B5DFSeom7pL9lUpr7n6trxKg11vUXbIAp/DYbhRTc0LBU4VI8T4w+PBKdnV2Hvzai oRUIrz9f/ykGV4bmpktOAFhKCZoYpL3tKJ65BpV/f9bp/aOFTx0azHUjZ31GtfS7z2Mc DmWdfoLtkcriTnpDPCHxzKrLkS/dyN9hCFSYfyBwe6SgnvUqzKmYRME2jDf5pcGdHtDd dJmw==X-Gm-Message-State: AE9vXwOuiQZPoxCvQafsQevD9jy8ypQcaPZipkQnyeANw4f5dVvaU4jmBXgj1S6YxNvjp9jmDRESpEEq+Qscwg==X-Received: by 10.200.43.105 with SMTP id 38mr2091543qtv.73.1472204022848; Fri, 26 Aug 2016 02:33:42 -0700 (PDT)MIME-Version: 1.0Received: by 10.237.43.163 with HTTP; Fri, 26 Aug 2016 02:33:42 -0700 (PDT)From: Martijn Minnis <[email protected]>Date: Fri, 26 Aug 2016 11:33:42 +0200Message-ID: <CABe801A=t8StMzGqpWcut8uWAbfnopVP63nDi5g+Nq7n0cTz3A@mail.gmail.com>Subject: EmmenPHP - looking for speakersTo: [email protected]: multipart/alternative; boundary=001a113d00a6d1a568053af6359c
138
139
140
Mail tester
141
142
143
The practiceDomains from the audience
144
Thank you!
145
Jeffrey CafferataTwitter handle: @jcid
146
SPF and email forwarding4 SRS: Sender Rewriting Scheme
147
Diff SPF / Sender ID
148
Diff DKIM / Identified Internet MailYahoo’s DomainKeys and Cisco’s Identified Internet Mail
149
Bronnen
150
Google, 9th February 2016 Google Security - Internet-wide efforts to fight email phishing are working. By Elie Bursztein, Gmail anti-abuse research lead and Vijay Eranti, Gmail anti-abuse technical lead
151