2014-10-07. Email security



Similar documents
CipherMail Gateway Quick Setup Guide

Network Services. SMTP, Internet Message Format. Johann Oberleitner SS 2006

Technical Note. FORTIMAIL Configuration For Enterprise Deployment. Rev 2.1

Protect Outbound Mail with DMARC

Spam, Spam and More Spam. Spammers: Cost to send

Collateral Damage. Consequences of Spam and Virus Filtering for the System. Peter Eisentraut 22C3. credativ GmbH.

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

This user guide provides guidelines and recommendations for setting up your business s domain authentication to improve your deliverability rating.

Advanced Settings. Help Documentation

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

Simple Mail Transfer Protocol

Exim4U. Server Solution For Unix And Linux Systems

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Anti Spam Best Practices

Libra Esva. Whitepaper. Glossary. How Really Works. Security Virtual Appliance. May, It's So Simple...or Is It?

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

How To Block Ndr Spam

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

MDaemon configuration recommendations for dealing with spam related issues

Comprehensive Filtering. Whitepaper

Mail agents. Introduction to Internet Mail. Message format (2) Authenticating senders

DKIM last chance for mail service? TFMC2 01/2006

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Security. Help Documentation

SPAMfighter SMTP Anti Spam Server

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

Enhanced Spam Defence

Analysis of Spam Filter Methods on SMTP Servers Category: Trends in Anti-Spam Development

An Overview of Spam Blocking Techniques

Understanding SMTP authentication and securing your IBM Lotus Domino 8 server from spam

Antispam Security Best Practices

MDaemon Vs. Microsoft Exchange Server 2013 Standard

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

FortiMail Filtering Course 221-v2.2 Course Overview

CS 164 Winter 2009 Term Project Writing an SMTP server and an SMTP client (Receiver-SMTP and Sender-SMTP) Due & Demo Date (Friday, March 13th)

Anti-spam filtering techniques

DomainKeys Identified Mail DKIM authenticates senders, message content

AntiSpam QuickStart Guide

Articles Fighting SPAM in Lotus Domino

Internet Technologies Internet Protocols and Services

QMAIL & SMTP: A Secure Application for an Unsecure Protocol. Orr Dunkelman. orrd@vipe.technion.ac.il. January 27, 2004 SMTP and QMAIL Slide 1

Security. Raj Jain. Washington University in St. Louis

Trust in Begins with Authentication

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

Do you need to... Do you need to...

Protect your brand from phishing s by implementing DMARC 1

Eiteasy s Enterprise Filter

Implementing MDaemon as an Security Gateway to Exchange Server

Internet Security [1] VU Engin Kirda

ETH Zürich - Mail Filtering Service

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

English Translation of SecurityGateway for Exchange/SMTP Servers

DMARC. How. is Saving . The New Authentication Standard Putting an End to Abuse

Configuration Information

Reputation Metrics Troubleshooter. Share it!

SMTP Servers. Determine if an message should be sent to another machine and automatically send it to that machine using SMTP.

A D M I N I S T R A T O R V 1. 0

Domain Name System (DNS)

Guardian Digital Secure Mail Suite Quick Start Guide

Message-IDs helpful for forensic analysis?

Configuring Security for SMTP Traffic

IronPort Authentication

WEBMAIL USER MANUAL AN INTRODUCTION TO WLINK WEBMAIL. Table of content:

Frequently Asked Questions

one million mails a day: open source software to deal with it Charly Kühnast Municipal Datacenter for the Lower Rhine Area Moers, Germany

eprism Security Appliance 6.0 Release Notes What's New in 6.0

Comprehensive Anti-Spam Service

Marketing: Methods to Block Spam

Migration Project Plan for Cisco Cloud Security

Marketing 201. How a SPAM Filter Works. Craig Stouffer Pinpointe On-Demand cstouffer@pinpointe.com (408) x125

Intercept Anti-Spam Quick Start Guide

Cannot send Autosupport , error message: Unknown User

BITS SECURITY TOOLKIT:

ORF ENTERPRISE EDITION 1. Getting the Most Out of ORF

SMTP Status Codes & SMTP Error Codes Reference

Blackbaud Communication Services Overview of Delivery and FAQs

Migration Quick Reference Guide for Administrators

SpamPanel Level Manual Version 1 Last update: March 21, 2014 SpamPanel

Configuration Network Management Card-2

Mail Avenger. David Mazières New York University

DNS Record Information for the Pushex Exchange server

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

smtplib SMTP protocol client

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

XGENPLUS SECURITY FEATURES...

CS43: Computer Networks . Kevin Webb Swarthmore College September 24, 2015

OCS Training Workshop LAB14. Setup

Instructions Microsoft Outlook Express Page 1

Mail Service Reference

Transcription:

Email security Simple Mail Transfer Protocol First defined in RFC821 (1982), later updated in RFC 2821 (2001) and most recently in RFC5321 (Oct 2008) Communication involves two hosts SMTP Client SMTP Server TCP on port 587 or 25 is used for communication Commands Replies SMTP Client SMTP Server EITF05 - Web Security 1 EITF05 - Web Security 2 Mail User Agent (MUA): email client, provides the user interface Eudora, pine, outlook, kmail,... Mail Submission Agent (MSA) Usually implemented with MTA Mail Transfer Agent (MTA): The software used to transfer emails between servers Implements SMTP Sendmail, Microsoft Exchange Server,... Message Delivery Agent (MDA): The software that delivers received email to the MUA procmail Usually implemented with MTA Originating SMTP system Introduces mail into the Internet, or into another environment Delivery SMTP system Ultimately receives the mail and delivers it to the mail user agent Relay SMTP system Passes on mail from a client to another server Adds trace information in header, nothing more Gateway SMTP system Receives mail from one transport environment, and releases it into another environment Allowed to change information in header (not received header) in order to comply with new environment Can include spam filter to reduce traffic SMTP may or may not be used on both sides MUA MSA MTA MTA MDA MUA MUA MSA MTA MTA MDA MUA EITF05 - Web Security 3 EITF05 - Web Security 4 1

HELO Initiate a mail transaction EHLO Extended HELO MAIL FROM: - Provides sender identification RCPT TO: - Provides recipient identification DATA - Provides message. End of data indicated by. on an empty line VRFY Ask server to verify an address EXPN Ask the server to expand a mailing list QUIT Close transmission channel RSET Reset current transaction HELP Ask server to return help of commands Commands and arguments are not case sensitive VRFY, vrfy, or VrFy can be used However local-part of mailbox can be case sensitive Local-part John.doe@server.com Domain John.doe@server.com may not be same as john.doe@server.com. john.doe@server.com is always same as john.doe@server.com EITF05 - Web Security 5 EITF05 - Web Security 6 4 main categories 2XX Positive Completion reply Action successful, you can start another one 3XX Positive Intermediate reply Command accepted, but you are not done yet 4XX Transient Negative Completion reply Command not accepted, but you are encouraged to try it again. It might work next time 5XX Permanent Negative Completion reply Command not accepted, do not try the same thing again Possible to disable VRFY Can be used by spammers to check for valid email addresses Possible to disable EXPN Can be used to harvest addresses from mailing lists EITF05 - Web Security 7 EITF05 - Web Security 8 2

S: 220 server.com Ready C: EHLO client.com S: 250-server.com greets client.com S: 250-8BITMIME S: 250-SIZE Extensions supported by server S: 250-DSN } S: 250 HELP C: MAIL FROM:<sender@client.com> S: 250 OK C: RCPT TO:<rec1@server.com> S: 250 OK C: RCPT TO:<rec2@server.com> S: 250 OK C: DATA S: 354 Start mail input; end with <CRLF>.<CRLF> C: This is my message C:. S: 250 OK C: QUIT S: 221 server.com Service closing transmission channel Included in DATA part Usually hidden by MUA From: and To: header is provided by sender Can easily be forged Return-path is added by last SMTP server Used for e.g., error messages if mailbox does not exist Derived from the MAIL FROM command Can have several other names (bounce address, return path, envelope from etc) Received: Information added by each involved SMTP server Message-id: An ID for the message which is added by the first SMTP server X-Header: Headers starting with X- are not part of the standard but used for information only X-Mailer identifies the mailing program X-Headers can be added by anti spam software, anti virus software etc EITF05 - Web Security 9 EITF05 - Web Security 10 An MTA must add the header received when it receives/forwards a message Example From HELO/EHLO command From TCP connection MTAs own identity together with ID Received: from mail.sender.com (mail.sender.com [123.45.67.89]) by mail.receiver.com with ESMTP id 31si3889671fkt; Fri, 03 Oct 2008 00:49:45-0700 (PDT) It is easy for anyone to connect to port 25 of a mail server and send an email Commands can be chosen arbitrarily Without additional checks of involved parties emails can easily be forged Headers can be used to track email and (hopefully) find who initiated the email EITF05 - Web Security 11 EITF05 - Web Security 12 3

Return-Path: [fake@anywhere.com] Received: from smtp.server1.com (smtp.server1.com [134.72.98.54]) by smtp.server2.com with ESMTP id 73659812; Fri, 12 Dec 2007 13:46:54-0400 (EDT) Received: from google.com (dklku64.someisp.com [234.56.67.78]) by smtp.server1.com; Fri, 12 Dec 2007 10:45:28-0700 (PDT) Date: Fri, 12 Dec 2007 10:45:28-0700 (PDT) From: cheap products <cheap@gmail.com> To: something@somewhere.org Subject: The best offer only for you Here we can see that the bottom received header stems from a forged email Claims that google.com was the SMTP client while it was in fact someone else (234.56.67.78) IP used in TCP connection cannot be spoofed EITF05 - Web Security 13 DNS entry specifying where to send email Final delivery server Relay Gateway 1. MTA makes DNS query for MX record for recipient s domain name 2. Receives list of servers that can receive the mail 3. MTA tries to establish SMTP connection to MTA given in MX record 4. Each server on the list has a priority number Lower number higher priority EITF05 - Web Security 14 C:\>nslookup -type=mx gmail.com Server: *** Address: *** Non-authoritative answer: gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com gmail.com MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com gmail.com MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com gmail.com MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com gmail-smtp-in.l.google.com internet address = 74.125.43.27 alt1.gmail-smtp-in.l.google.com internet address = 72.14.213.27 alt2.gmail-smtp-in.l.google.com internet address = 74.125.157.27 alt3.gmail-smtp-in.l.google.com internet address = 74.125.47.27 alt4.gmail-smtp-in.l.google.com internet address = 74.125.91.27 Priority can help with load balancing If there are multiple destinations with the same preference and there is no clear reason to favor one (e.g., by recognition of an easily reached address), then the sender-smtp MUST randomize them to spread the load across multiple mail exchangers for a specific organization. RFC5321 Use lower priority servers as backup servers If server is offline: No backup server: MTA will queue message and retry sending later. MTA has no idea when server is online again With backup server: MTA sends message to backup server. Backup server will (potentially) know when primary server is online again more efficient delivery Backup servers sometimes have worse spam filtering than primary servers EITF05 - Web Security 15 EITF05 - Web Security 16 4

C:\>nslookup -type=mx hotmail.com Server: *** Address: *** Non-authoritative answer: hotmail.com MX preference = 5, mail exchanger = mx2.hotmail.com hotmail.com MX preference = 5, mail exchanger = mx3.hotmail.com hotmail.com MX preference = 5, mail exchanger = mx4.hotmail.com hotmail.com MX preference = 5, mail exchanger = mx1.hotmail.com mx1.hotmail.com internet address = 65.55.92.168 mx1.hotmail.com internet address = 65.55.92.184 mx1.hotmail.com internet address = 65.54.188.72 mx1.hotmail.com internet address = 65.54.188.94 mx1.hotmail.com internet address = 65.54.188.110 mx1.hotmail.com internet address = 65.54.188.126 mx1.hotmail.com internet address = 65.55.37.72 mx1.hotmail.com internet address = 65.55.37.88 mx1.hotmail.com internet address = 65.55.37.104 mx1.hotmail.com internet address = 65.55.37.120 mx1.hotmail.com internet address = 65.55.92.136 mx1.hotmail.com internet address = 65.55.92.152 Anyone can connect to the SMTP server and send messages from anyone, to anyone Will provide anonymity of real sender Typically used by spammers Used to be very common less common now SMTP servers that are not open relays Will deliver messages to its supported domain Will send messages from IP addresses it supports EITF05 - Web Security 17 EITF05 - Web Security 18 DomainKeys Identified Mail, described in RFC4871 Digital signature of message put in message header Certificates are not used Associates a domain name to an email message Verification that domain has not been spoofed Assuming receiver knows that DKIM should be used for that domain Additionally provides integrity protection of message Hash algorithm: SHA-256, (SHA-1) Signature Algorithm: RSA Hashes, signatures and keys represented in base64 DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=gmail.com; s=gamma; Version Algorithms used Canonicalization (How message was prepared) Domain Selector h=domainkey-signature:received:received: message-id:date:from:to:subject:mimeversion:content-type; bh=9gicsznlclk7yyh6virgyammrziwssbwqspihc 78RRk=; b=k4ofvphpkaqmvusogvhrrncspk+jeuv9kurzo7a iypvf/6y1n2iiatvlvdzwonzx/w6kxyx6z4ybuk8d qk/vntie7jpy+gquuhfvm0nftmzo1cbgrvo8ddhnx RBB/qWwlV+Z6wxw/mq7lNuJknVprOAaTLws5mwcZ+ AWL8KwHg0= Signed headers Hash of body Signature EITF05 - Web Security 19 EITF05 - Web Security 20 5

SMTP server can check the signature by receiving the public key through DNS Always stored in subdomain _domainkey Selector is subdomain of _domainkey Example: >nslookup -type=txt gamma._domainkey.gmail.com Server: *** Address: *** Non-authoritative answer: gamma._domainkey.gmail.com text = "k=rsa; t=y; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdihyr3oitoy22zoabrive9m /ime3rqojeasanspg2ythtyv+xtp4xwf5gtjcmhqemos0qyu0fyinqpqogj2t0m fx9znu06rfrbdjiiu9tpx2t+nglwz8qhbilo5by8apjavlyqtlavypsrvsx0b3y zc63t4age2cdqzya+owsmwqidaqab" Sender Policy Framework (originally Sender Permitted From) Background: Many spammers send emails from fake domains Find an open relay somewhere, send message from domain server.com MAIL FROM: john.doe@server.com Idea: Let server.com decide which mail servers that can send mail from server.com A domain can put an entry in the DNS that lists the SMTP servers that are allowed to send mail from the domain Server MTA receiving mail can check DNS record for servers domain If originating client MTA is not allowed to send from given domain, then server MTA can choose to not accept message Can be seen as a backwards MX record MX record tells us where to send a mail going to a specific domain SPF tells us from where we are allowed to send mail from specific domain EITF05 - Web Security 21 EITF05 - Web Security 22 SPF (and/or TXT) record specifies rules all: Any IP matches a: IP match if domain has A record that resolves to sender s IP mx: IP match if domain has MX record that resolves to sender s IP ipv4: IP match if within given interval and qualifiers +: pass?: neutral (default) ~: suspicious -: fail Examples: v=spf1 a mx -all Domain-based Message Authentication, Reporting and Conformance There are issues with both DKIM and SPF: What are the effects? How does client handle bad signatures or IP s? DKIM: Sender does not know if there are emails with bad signatures SPF: Mistake(s) in list of allowed IP addresses? DMARC combines DKIM and SPF with application rules and a feedback system Three components: DKIM SPF Alignment (From header verified against DKIM and SPF domains) v=spf1 a:sub.server.com ipv4:1.2.3.4/24 EITF05 - Web Security 23 EITF05 - Web Security 24 6

DMARC record uses tag=value syntax v: Version, must be DMARC1 p: Policy, one of none, quarantine and reject pct: Percentage (0-100) of messages to which the policy is applied (default 100) rua: URI to send aggregate feedback to ruf: URI to send forensic feedback to adkim: Alignment mode for DKIM, strict or relaxed (default) aspf: Alignment mode for SPF, strict or relaxed (default) sp: Same as p tag but applied to subdomains ri: Report interval for aggregate reports (seconds, default 86400) rf: Format for forensic reports _dmarc.amazon.com v=dmarc1; p=quarantine; pct=100; rua=mailto:dmarc-reports@bounces.amazon.com; ruf=mailto:dmarc-reports@bounces.amazon.com; EITF05 - Web Security 25 About 100 billion spam emails sent per day Several methods used to combat the problem with spam Can be divided into filtering and blocking We will look at DNS Blacklists (DNSBL) Greylisting and nolisting Hashcash Statistical Filters Hybrids EITF05 - Web Security 26 DNS blacklists, also called DNS blocklist Also known as RBL (Realtime Blacklist) A list with IP addresses that are (considered by blacklist provider) used for spamming IP can be identified by e.g., honeypots Server MTA can check if client MTA is on list MTA DNS Is client on blacklist? MTA Easy to use IPs can be checked using DNS queries IP(r).dnsbl.server.com IP(r) is the reverse byte ordering of the IP address to check Some big ones: spamhaus, spamcop Some are more aggressive than other Problem: False positives and false negatives Problem 2: What is a positive and what is a negative Client Server If client is reported in blacklist, server can take appropriate action Can be used as one part in a spam scoring system EITF05 - Web Security 27 EITF05 - Web Security 28 7

Some IPs can be blocked by one blacklist but not with another Example: Check IP 209.237.225.253 >nslookup 253.225.237.209.zen.spamhaus.org Server: *** Address: *** **Server can t find 253.225.237.209.zen.spamhaus.org: NXDOMAIN >nslookup 253.225.237.209.spam.dnsbl.sorbs.net Server: *** Address: *** Non-authoritative answer: Name: 253.225.237.209.spam.dnsbl.sorbs.net Address: 127.0.0.6 Advantages: You can choose the blacklist that suits you Aggressive lists will prevent most spam but also reject some legitimate emails Conservative lists will miss some spam but are less likely to reject legitimate email Message can be rejected before it is actually sent since server can drop connection with client immediately Drawbacks: Same mailserver can be used by both spammers and legitimate users If a mistake puts you on a blacklist, it may be difficult to get off the list EITF05 - Web Security 29 EITF05 - Web Security 30 URI version of DNSBL Targets URLs and IPs in message body Server MTA can check message body for links that are not likely used in normal email, but known to be used in spam Works in the same way as DNSBL URI is checked with DNS Background: Many spam programs do not fully comply with SMTP They might not retry sending an email that was previously rejected Idea: Always reject unrecognized transactions For incoming messages, look at (SMTP Client IP, sender address, receiver address) If not previously used, then save in database and temporarily reject message (Transient Negative Completion reply) If recently used, then accept message Advantages: Easy and not very resource consuming compared to some other methods Can be used before other spam filters to reduce their workload Drawbacks: Email is no longer realtime Relies on legitimate servers implementing the retry EITF05 - Web Security 31 EITF05 - Web Security 32 8

Background: Many spam programs do not fully comply with SMTP Some only try the highest priority server in the MX record A few try the lowest priority server in the MX record only, assuming it is used as backup and does not have good spam filters Idea: Let the server with highest priority be non-existing server.com: 10 dummy.server.com 20 real1.server.com 20 real2.server.com 30 real3.server.com EITF05 - Web Security 33 Pay to send an email, but receive for free Background: Computers and connections are fast, sending many emails is fast and cheap Idea: If it takes 1 microsecond to prepare a message to send, then many messages can be sent in a short time If it takes 1 second to prepare a message, not so many can be sent in reasonable time Idea similar to Key strengthening Slow hash functions used to strengthen password protection Hashcash is asymmetric in the sense that it is expensive to prepare the message but cheap to verify that it was prepared with hashcash EITF05 - Web Security 34 The string is hashed with SHA-1 *ver* is version number (currently 1) *bits* indicates how costly the function is for sender *date* gives current date *resource* is recipients email address *ext* is extensions *rand* is a random number (separates different senders) *counter* is a counter value If the first *bits* bits of hash are zero, then string is added in message header Otherwise, increase counter by 1 and hash again *ver*:*bits*:*date*:*resource*:[*ext*]:*rand*:*counter* X-Hashcash: 1:20:131015:receiver@someserver.com::7239672987:35976 String verified by receiver and saved in database Can only be used once EITF05 - Web Security 35 Advantages Will not block mail from legitimate senders Not costly for receiver Drawbacks Botnets can be used instead of single computer preparing messages Slow computers have more problems than fast ones Embedded devices EITF05 - Web Security 36 9

Background: Some words are more common than others in spam emails Idea: Construct an algorithm that can sort out spams based on the content of the message Bayesian filtering Use training data to teach an algorithm how to separate spam from legitimate emails Let D be the event that a document contains a set of words w 0, w 1, w 2,... Let S be the event that the document is spam and S the event that it is not spam Then Use Bayes law Thus Divide: Take logarithm From training We assume that words occur independently Spam if log-likelihood ratio is larger than some threshold, e.g., 0 EITF05 - Web Security 37 EITF05 - Web Security 38 Some or all of the previous methods can be combined Then passing/failing a test can contribute to a total score for an email If score is higher than threshold then email is considered as spam An open source implementation is SpamAssassin Can be used in MTA, MDA and/or in MUA EITF05 - Web Security 39 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information